f



Re: Denial of service when using Active Directory for KDC ? #4

To use a computer account in AD for a principal you have to create first a normal
computer account (e.g. mmtest) and execute then: 

 
C:\program files\Support Tools>ktpass  -out d:\Temp\test1.keytab -pass 
Test000$ -crypto rc4-hmac-nt /ptype KRB5_NT_SRV_HST -princ te
stsvc/moelma.test.com@TEST.COM -mapuser mmtest$@TEST.COM
Targeting domain controller: testkdc.test.com
Using legacy password setting method
Successfully mapped testsvc/moelma.wks.uk.deuba.com to MMTEST$.
WARNING: Account MMTEST$ is not a user account (uacflags=0x1021).
WARNING: Resetting MMTEST$'s password may cause authentication problems if 
MMTEST$ is being used as a server.

Reset MMTEST$'s password [y/n]?  y
Key created.
Output keytab to d:\Temp\test1.keytab:
Keytab version: 0x502
keysize 81 testsvc/moelma.test.com@TEST.COM ptype 3 (KRB5_NT_SRV_HST) vno 
1 etype 0x17 (RC4-HMAC) keylength 16 (0x5443b0c1ad573155fa2d95eee1971574)


This will create a keytab with a RC4 key which is mapped to a computer account.
Any password expiry set for user accounts (e.g. domain wide settings) won't
affect the computer account. 

Regards
Markus






On Fri May  6  9:34 , jpbermejo <jpbermejo@prisacom.com> sent:

>On Thu, 2005-05-05 at 21:52 +0100, Markus Moeller wrote:
>> Tim,
>> in our setup we use computer accounts instead of user accounts, and don't
>> have experienced this issue. I think the latest ktpass can do this with
>> mapuser having a $ at the end.
>
>I don't know about computer accounts, but this DoS is not possible if
>you are using service principals. Active Directory doesn't allow login
>for service principals, and keytab are only useful to decrypt tickets.
>Making an ldap query to AD, you can get things like
>
>dNSHostName: sist03lnx.domain.com
>userPrincipalName: HOST/sist03lnx@DOMAIN.COM
>servicePrincipalName: HTTP/sist03lnx.domain.com
>servicePrincipalName: HTTP/sist03lnx
>
>In this case, only HOST/sist03lnx keytab works with `kinit -k`. If you
>attempt to get a TGT with the other principals, you get nothing.
>
>Javier Palacios
>
>
>============================================================================
>This e-mail message and any attached files are intended SOLELY for the
addressee/s identified 
>herein. It may contain CONFIDENTIAL and/or LEGALLY PRIVILEGED information and
may not
> necessarily represent the opinion of this company. If you receive this message
in ERROR, 
>please immediately notify the sender and DELETE it since you ARE NOT AUTHORIZED
to use,
> disclose, distribute, print or copy all or part of the contained information.
Thank you. 
>============================================================================
>
>

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
huaraz1 (352)
5/6/2005 9:20:41 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
302 Views

Similar Articles

[PageSpeed] 10

Reply:

Similar Artilces:

RE: Denial of service when using Active Directory for KDC ?
Javier, Thankyou. I have a related question for your : In order to use a user account which is then used to run ktpass against I need to first create the user account (e.g. service.account@domain.com). When I use ktpass I specify the name of this account using the -mapuser parameter. With the above in consideration, surely it is possible to use kinit, or windows logon, or some other authentication method to logon as service.account@domain.com and cause this account to get locked when password attempt is wrong > x times ? If I understand it correctly the principal name given when ktpass is run is used as an alias, but the account in AD can still be accessed using the firstname.lastname@domain format ? I look forward to your feedback. Regards, Tim ________________________________ From: jpbermejo [mailto:jpbermejo@prisacom.com] Sent: Fri 06/05/2005 09:34 To: Markus Moeller; Tim Alsop Cc: kerberos@mit.edu Subject: Re: Denial of service when using Active Directory for KDC ? On Thu, 2005-05-05 at 21:52 +0100, Markus Moeller wrote: > Tim, > in our setup we use computer accounts instead of user accounts, and don't > have experienced this issue. I think the latest ktpass can do this with > mapuser having a $ at the end. I don't know about computer accounts, but this DoS is not possible if you are using service principals. Active Directory doesn't allow login for service principals, and keytab are only useful to decrypt tickets. Making an l...

RE: Denial of service when using Active Directory for KDC ? #3
Markus, Thankyou. This works for us now. I appreciate your help. Regards, Tim ________________________________ From: Markus Moeller [mailto:huaraz@moeller.plus.com] Sent: Fri 06/05/2005 10:20 To: Markus Moeller; Tim Alsop; jpbermejo Cc: kerberos@mit.edu Subject: Re: Denial of service when using Active Directory for KDC ? To use a computer account in AD for a principal you have to create first a normal computer account (e.g. mmtest) and execute then: C:\program files\Support Tools>ktpass -out d:\Temp\test1.keytab -pass Test000$ -crypto rc4-hmac-nt /ptype KRB5_NT_SRV_HST -princ te stsvc/moelma.test.com@TEST.COM -mapuser mmtest$@TEST.COM Targeting domain controller: testkdc.test.com Using legacy password setting method Successfully mapped testsvc/moelma.wks.uk.deuba.com to MMTEST$. WARNING: Account MMTEST$ is not a user account (uacflags=0x1021). WARNING: Resetting MMTEST$'s password may cause authentication problems if MMTEST$ is being used as a server. Reset MMTEST$'s password [y/n]? y Key created. Output keytab to d:\Temp\test1.keytab: Keytab version: 0x502 keysize 81 testsvc/moelma.test.com@TEST.COM ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0x5443b0c1ad573155fa2d95eee1971574) This will create a keytab with a RC4 key which is mapped to a computer account. Any password expiry set for user accounts (e.g. domain wide settings) won't affect the computer account. Regards Markus On Fri May 6 9:34 , jpbermejo <jpb...

RE: Denial of service when using Active Directory for KDC ? #2
Javier, Thank you again. I understand that the use of computer accounts either with ktpass or via another tool (our longer term goal) is the best approach. I am exchanging emails with Markus to find out how to use ktpass (short term solution) for computer account creation. I am yet to try his latest suggestion. We will eventually build a netjoin based utility, which will run on each system instead of on the domain controller. This will be similar to the code you refer to from CSS or provided with Samba, but will be supported by us for our customers to use with our products. Regards, Tim ________________________________ From: jpbermejo [mailto:jpbermejo@prisacom.com] Sent: Fri 06/05/2005 10:59 To: Tim Alsop Cc: Markus Moeller; kerberos@mit.edu Subject: RE: Denial of service when using Active Directory for KDC ? On Fri, 2005-05-06 at 11:28 +0200, Tim Alsop wrote: > Javier, > > Thankyou. I have a related question for your : > > In order to use a user account which is then used to run ktpass > against I need to first create the user account (e.g. I did use that method many months ago, with a 2000 domain. Now, with a 2003 domain I've actually never tried ktpass seriously, and I use either samba or css_adkadmin. The first one forces node.domain.com into node$ as principal name, where the second allows HOST/node.domain.com. Both are standar computer accounts as any other windows machine. You can get a TGT (or any other tickets) for these principals...

Denial of service when using Active Directory for KDC ?
Hi, I wondered if anybody has any experience of this potential DoS issue : - It is common, when using Active Directory as a KDC for user accounts to be used when creating service principals, and using the Microsoft ktpass.exe utility to create a key table file. - It is also possible to configure Active Directory so that when a user gets their password wrong more than a specific number of times their account is locked until an administrator unlocks them. - If somebody tries to logon (deliberately, or by mistake) using an account which is being used for a service principal, and gets the password wrong many times, we assume that the account will be locked in the same way as a normal user account would be locked. - If an account gets locked and it is being used for a service principal, how does Active Directory handle this ? Does it still issue service tickets for the principal when it receives a TGS request ? Is there any special logic in AD so that accounts being used in this way are not locked ? We plan to do some tests to understand what effect this might have, and whether there is cause for concern, but I wanted to first see if anybody else has come across this potential DoS, or has any ideas ? Any feedback welcome. Take care, Tim ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Tim, in our setup we use computer accounts instead of user accounts, and don...

Re: (Ab)use of Javascript; was Re: Web Services Increasingly Under #4
This is true, but it's no different than the cookies that are currently stored/tracked on these computers. To stretch my idea even further, if there is a will there is a way. All they have to do is create a simple little program that will change the system's IP address every time a new user logs on. Say a window will prompt for the login/password, and the login will be the IP. This will of course wreak havoc on the network structure, but with the advance of wireless networks and entire cities getting ready to go wifi, this is looking more and more like when cell phones first appeared on the market. I'm sure they can come up with routers that will send traffic from each IP to its appropriate router over wifi. Again, not saying that it's going to happen. Just letting my imagination work here. Julian Thomas wrote: >> If the government really wants to track people's online usage >> they'll have to give everyone the option to keep the same IP >> throughout their lifetime, much like they allow people to keep their >> phone numbers now. That way each IP address will have a name >> attached to it. > Hardly. Consider local network environments and shared usage computers, > where many users share the same IP. > Julian Thomas: http://jt-mj.net > In the beautiful Finger Lakes Wine Country of New York State! > Warpstock X - October 12-15 2006; Windsor, Ont. I'll be there - w...

RE: Advanced Server and Active Directory #4
> -----Original Message----- > From: Jerry Alan Braga [mailto:jerry.braga@hotmail.com] > Sent: April 20, 2007 11:33 AM > To: Info-VAX@Mvb.Saic.Com > Subject: Re: Advanced Server and Active Directory >=20 > what about the ldap from openvms 8.3? does it do the same for > authentication > without required pathworks to be fully running. >=20 [snip...] Not sure, but this link may be of interest: http://h71000.www7.hp.com/openvms/security.html Regards Kerry Main Senior Consultant HP Services Canada Voice: 613-592-4660 Fax: 613-591-4477 kerryDOTmainAThpDOTcom (rem...

service principal management with Active Directory KDC
Hi we want to use our Active Directory KDC to manage service principals for nfs and ssh for quite a few Linux and Solaris machines, and would prefer to automate generating the service principals and installing them on the clients. I was thinking that one way to approach this problem could be by installing Cygwin SSH daemon on the Active Directory server. Are there any downsides to this? The other way I think is to set up a cross-realm trust with an MIT KDC and have one MIT kerberos realm for service principals, and use the Active Directory for authenticating our user accounts. I haven't tried doing this yet, but imagine it's not too hard. If anyone has any thoughts or ideas about this, I'd be happy to hear them. Thanks! Rohit ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos On Tue, 03 Apr 2007 10:17:41 -0400 Rohit Kumar Mehta <rohitm@engr.uconn.edu> wrote: > > Hi we want to use our Active Directory KDC to manage service principals > for nfs and ssh for quite a few Linux and Solaris machines, and would > prefer to automate generating the service principals and installing them > on the clients. <snip> > If anyone has any thoughts or ideas about this, I'd be happy to hear > them. Thanks! Hi Rohit, There's a PHP extension for Linux called Plexcel that can create accounts in AD, add, modify and delete attri...

Issue with using Kerberos and Active Directory to take over
Hello I would like to call active directory by using power builder, what would you like to recommend to me. Thank you. _____________________________________________________________________________________________________________________________________________ Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini kullaniciya hemen geri gonderiniz ve tum kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu kabul etmez. This message is intended solely for the use of the individual or entity to whom it is addressed , and may contain confidential information. If you are not the intended recipient of this message or you receive this mail in error, you should refrain from making any use of the contents and from opening any attachment. In that case, please notify the sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, can not be copied, published or sold for any reason. ...

RE: Using py2exe to wrap a service? #4
[MaR] |=20Tim=20Golden=20wrote: |=20>=20[MaR] |=20> |=20>=20|=20I=20do=20not=20call=20pythoncom.CoInitialize=20()=20=20as=20I=20= tend=20to=20 |=20expect=20a=20module |=20>=20|=20wrapping=20COM=20stuff=20to=20do=20that. |=20> |=20>=20Hmmm.=20A=20slightly=20philosophical=20point. |=20[snip] |=20 |=20:o)=20I=20agree! |=20 |=20I=20have=20added=20the=20CoInit..=20call=20to=20the=20__init__()=20of=20= the=20threaded=20class |=20(I=20understood=20the=20documentation=20as=20that=20was=20a=20proper=20= place.) |=20The=20exception=20message=20changed! |=20Unfortunately=20I=20get=20lit...

Multiple Active Directory connections using LDAP/Kerberos
The application I am working on connects to one or more Windows 2003 domain controller using LDAP to retrieve information from the directory. I only require a single connection to be active at any one time, but want a single instance of the application to work through the configured connections in turn with no user intervention. The application is required to use Kerberos authentication, so in order to deal with different domain controllers and KDC hosts I am doing something like this: for each domain controller { System.setProperty("java.security.krb5.realm", <realm>...

Using kerberos w/o binding to active directory
I have a file server on the campus active directory that contains the home directories for all the users of campus computer lab. I would like for students to be able to connect to a share and access their files from their dorm PCs not on the active directory. The complication here is since their dorm PCs are not bound to the active directory, they are not using Kerberos for authentication. I'd like to come up with a set of instructions so they can get a Kerberos ticket and connect to the share, but I don't have a strong Kerberos background. I have been able to do this on a mac by setting up an appropriate /Library/Preferences/edu.mit.kerberos file (just like krb5.conf) and using the /System/Library/CoreServices/Kerberos application to get a ticket. Once this happens, the Mac user is able to connect to the share and see their files. This at least leads me to believe what I want to accomplish is possible. Berkeley has a set of instructions for their students to do this. Their AD also uses Kerberos for authentication: http://calnetad.berkeley.edu/documentation/interoperability/#item1 It seems to have the students install a .reg file which has the same effect as running the neccessary ksetup.exe commands. I have tried using this method to no avail - creating an analogous registry file by copying those keys from a working machine on the active directory. The difference in the event logs on the server side between the failed windows connections ...

RE: Re: Active Directory Support
>Isn't the most obvious design applicable ? Placing ad in a sub-domain >and having wintendo nameservers servicing that subdomain ? Well, yes, that design will work, but all of my Windows servers will = have the subdomain prepended to the root domain when all of the rest of = the servers will have none, or another subdomain. It would be best = organizationally to have a single, root domain (domain.com) to which all = servers belong to. I guess a more specific question would be if Windows = AD can run with BIND9 (with DDNS enabled) instead of with Windows DNS. = I can address the workstation issue by making them register all with a = subdomain keeping them out of my root domain. Chris Christopher P. Jenkins, Senior Consultant Concordant, Inc. P: 508-820-3080 F: 508-820-4367 C: 508-241-7415 E: chris.jenkins@concordantinc.com -----Original Message----- From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On = Behalf Of phn@icke-reklam.ipsec.nu Sent: Monday, January 05, 2004 12:26 PM To: comp-protocols-dns-bind@isc.org Subject: Re: Active Directory Support User, Public <public@seajay.com> wrote: > Content-Type: text/plain; > charset=3D"us-ascii" > Content-Transfer-Encoding: quoted-printable > Hello, > I am looking to consolidate DNS to a single platform for all systems = on > our network. Currently BIND8 is being used for all name resolution. = We > will...

RE: Re: Active Directory Support
So many subdomains.....why does Bill Gates have to make everything so difficult? Thanks for the info Len, it helps.. Chris Christopher P. Jenkins, Senior Consultant Concordant, Inc. P: 508-820-3080 F: 508-820-4367 C: 508-241-7415 E: chris.jenkins@concordantinc.com -----Original Message----- From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On Behalf Of Len Conrad Sent: Monday, January 05, 2004 1:31 PM To: bind-users@isc.org Subject: RE: Re: Active Directory Support >Isn't the most obvious design applicable ? Placing ad in a sub-domain >and having wintendo nameservers servicing that subdomain ? > >Well, yes, that design will work, but all of my Windows servers will = =3D >have the subdomain prepended to the root domain when all of the rest of =3D >the servers will have none, or another subdomain. It would be best =3D >organizationally to have a single, root domain (domain.com) to which all =3D >servers belong to. One approach is to sandbox AD in a subdomain, ad.domain.com, and delegate=20 that domain from the BIND NS authoritative for parent domain.com to the W2K=20 DNS as authoritative for ad.sudomain.com, under which go all the=20 _underscore domains, and your dynamic zones, reserving the parent domain to=20 BIND and the BIND zones static. >I guess a more specific question would be if Windows =3D >AD can run with BIND9 (with DDNS enabled) instead of with ...

Issue with using Kerberos and Active Directory to take over Sybase authentication
Hi, We are trying to implement Kerberos authentication (through Active Directory) for our Sybase 12.5.3 database (through a client-server Powerbuilder application). We have been told that we need some kind of mapping between Active Directory and Sybase user ID's (for authorization if not for anything else) - i.e. the Active Directory ID needs to be set up as a user in Sybase. However, our AD id's are in the format "firstname.lastname", which is an invalid sybase ID (because of the ".") - Oracle will also have the same issue. Does anyone out there have a workaround for this? Is the mapping really needed? Thanks!!! Herbert --------------------------------------------------------------------------- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V, which has its seat at Amsterdam, the Netherlands, and is registered in the Commercial Register under number 33002587, including its group companies, shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the...

RE: kinit request on keytab fails using 2K3sp1 KDC #4
David, I have seen this problem before. It does not occur with the pre-SP1 version of ktpass. Conclusion : If you want to create keytable files which have correct kvno's and which work correctly with des, then you must use the pre-SP1 version of ktpass. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 17:39 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Jeffrey Altman wrote: > Why do you need the kvno to be 1? It wasn't so much that they needed to match, more to tidy up the situation I had on the KDC. > For example, what is the enctype of the service ticket issued by the > KDC? Does that match the enctype of the keytab entry you are using? > > What do the following commands output? > > klist -e -k /etc/krb5.keytab > > kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK > klist -e > This appears to be the problem, the keytab is being generated with DES CBD MD5, the service principal is sending an ArcFour encrypted tgt. The reason this never occured to me is that the user account has the 'use DES encryption for this account' setting ticked. I have tried the following process to force the service principal to be DES; 1 - create account 2 - run ktpass util with -mapop set +DesOnly and -crypto DES-CBC-MD5 options set. 3 - view account properites and ensure that 'use DES encryption f...

Problem with MIT Kerberos v1.4, OpenSSH 3.9p1 and Active Directory
All: I seem to have run into a road block getting my Linux machines to authenticate against AD when coming in through OpenSSH. First, let me start off my listing what my environmnet is: Test Client: * RHEL Linux * MIT Kerboros v1.4 * OpenSSH v3.9p1 - Compiled using the following line: ../configure --with-tcp-wrappers --with-pam --with-kerberos5=/usr/kerberos --with-md5-passwords --prefix=/usr --sysconfdir=/etc/ssh Active Directory: * Windows 2003 Scenario 1: If I use my local account and password, I can get into the machine OK. I know that OpenSSH is functioning properly. At this point, if I do a 'kinit' I can successfully authenticate myself against AD and obtain my Keberos5 ticket. Scenario 2: If I change my account information to require that authentication take place using Kerberos, then I get the following error from the ssh daemon: debug1: Kerberos password authentication failed: ASN.1 encoding ended unexpectedly -- What I have been able to determine at this point is that if I remove my userid from the multitude of groups that it belongs to in AD, then I *can* successfully authenticate myself when I come in through OpenSSH, using Kerberos. -- If I place myself back into the same groups, I cannot authenticate myself and get the above error. In doing some reading, it appears as if I need to force TCP usage in the MIT Kerberos, which I have done. Everything still works when I do 'kinit' but nothing has changed in regards to OpenS...

RE: Problems trying to authenticate Unix users via Active Directory #4
Sorry, guess I was not clear. I had the "Do not required Kerberos pre-authentication" box checked for my AD user account and I was able to login into a Solaris 9 box using my AD credentials. With it unchecked, logins failed again. I can login to a Solaris 10 system using my AD credentials without any problems with that box unchecked. It is only when trying to authenticate against a Solaris 9 server (using SUN's Kerberos distribution) that the problem crops up. - Bill -----Original Message----- From: Douglas E. Engert [mailto:deengert@anl.gov] Sent: Monday, August 29, 2005 3:20 PM To: Smith, William E. (Bill), Jr. Cc: Wyllys Ingersoll; kerberos@mit.edu Subject: Re: Problems trying to authenticate Unix users via Active Directory Smith, William E. (Bill), Jr. wrote: > I did notice that things seem to work properly in Solaris 10 and > figured it must include TCP support. Modifying the user account > property to not require kerberos pre-authentication has worked but > that has some implications of its own. The Solaris 10 should support the pre-auth. It works for us. Why did you think you had to turn it off? With Solaris 5, 6, 7, 8, 9 we use/used the MIT kerberos. I will investigate some of the other > suggestions though > > Bill > > -----Original Message----- > From: Wyllys Ingersoll [mailto:wyllys.ingersoll@sun.com] > Sent: Monday, August 29, 2005 10:10 AM > To: Smith, William E. (Bill), Jr. > Cc: kerberos...

RE: [tao-users] RE: [ace-users] XML service configuration no longer works with ACE/TAO 5.4.5/1.4.5
Hi, > > Hi Lothar > > > > > � � ACE VERSION: 5.4.5 > > > > Thanks for using the PRF form. Could you try to find the > problem and send > > us patches to fix this? > > > > Regards, > > > > Johnny Willemsen > > I have no problem committing some time to the problem. I do > however know as > much as nothing about the ACE XML parser and it's recent > changes. It seems to > me that (some) of the recent changes might have caused the > test failures. So > if someone working actively on ACEXML gives me directions I > am willing to > spend my time investigating the problem. I can't remember that work has been done the last months so I am also amazed things broke. Nobody is actively working on it, so I think there are not much directions at this moment. Regards, Johnny Willemsen Remedy IT Postbus 101 2650 AC Berkel en Rodenrijs The Netherlands www.theaceorb.nl / www.remedy.nl On Wednesday 18 May 2005 11:01, Johnny Willemsen wrote: > Hi, > I can't remember that work has been done the last months so I am also > amazed things broke. Nobody is actively working on it, so I think there are > not much directions at this moment. Well, it did definiteley work with 5.4.4. So any changes that broke it must have been made between 5.4.4 and 5.4.5. I also read in the release email of 5.4.5 in the CIAO...

RE: Re: Active Directory Support #2
Or does Windows REQUIRE a closed AD-integrated zone (sub or root) using = Windows DNS servers? Christopher P. Jenkins, Senior Consultant Concordant, Inc. P: 508-820-3080 F: 508-820-4367 C: 508-241-7415 E: chris.jenkins@concordantinc.com -----Original Message----- From: bind-users-bounce@isc.org [mailto:bind-users-bounce@isc.org] On = Behalf Of phn@icke-reklam.ipsec.nu Sent: Monday, January 05, 2004 12:26 PM To: comp-protocols-dns-bind@isc.org Subject: Re: Active Directory Support User, Public <public@seajay.com> wrote: > Content-Type: text/plain; > charset=3D"us-ascii" > Content-Transfer-Encoding: quoted-printable > Hello, > I am looking to consolidate DNS to a single platform for all systems = on > our network. Currently BIND8 is being used for all name resolution. = We > will be adding a large Active Directory environment, and am looking = for > the best way to implement DNS. What we do not want is all WinXP/2000 > workstations DNS entries to show up in the BIND files, but want the AD > and Windows DNS to synchronize, but not completely. I am envisioning > having DNS on Windows handle the AD servers and workstations, and the > BIND8 servers to handle everything else. I would like to have all > entries in BIND8 synced to AD DNS, but not the other way. My = questions > are as follows: > =3D20 > Can I currently do this with BIND8? Need to implemen...

Samba 3.0 as Active Directory Domain Controller with MIT Kerberos 1.3 KDC?
"Gerald (Jerry) Carter" <jerry@samba.org> wrote in message news:<zwyd.1Tn.5@gated-at.bofh.it>... > The Samba Team is proud to announce the availability of the > first official release of the Samba 3.0 code base. > > Major new features: > - ------------------- > > 1) Active Directory support. Samba 3.0 is now able to > join a ADS realm as a member server and authenticate > users using LDAP/Kerberos. > Hi Gerald (Jerry) and Samba Team! Before anythings else, I'd just like to start by thanking you for your magnificent contribution to the Open Source community. I've been using Samba in various contexts for almost 2 years now and it's been a huge benefit to me. Thank you, Thank you, Thank you! I've been using Samba 2.2 as a PDC for a production environment with Windows XPP and Windows 2000 Pro clients and serving up a database application and Samba does beautifully at this task and has done so for more than a year. Since I see that with 3.0, Samba now supports Active Directory, it occurs to me that I might now be able to use Samba as an emulated Windows 2000 Domain Controller (i.e., an Active Directory Domain Controller with Kerberos), but perhaps that level of functionality is not there yet? I see in the Samba-HOWTO collection documentation (included with the 3.0 stable tarball and dated 21 April 2003) the following statements: ===================== The foll...

Re: [ace-users] Upgraded to 5.4.2. Can't use TP_Reactor Service Configurator Framwork
Hi Aaron, Thanks for using the PRF and for upgrading to 5.4.2. >> ACE VERSION: 5.4.2b >> >> HOST MACHINE and OPERATING SYSTEM: >> PC Linux 7.3 >> >> >> TARGET MACHINE and OPERATING SYSTEM, if different from HOST: >> n. a. >> >> COMPILER NAME AND VERSION (AND PATCHLEVEL): >> gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110) >> >> AREA/CLASS/EXAMPLE AFFECTED: >> examples/C++NPv2/TP_Reactor_Logging_Server >> >> DOES THE PROBLEM AFFECT: >> COMPILATION? >> no >> LINKING? >> no >> EXECUTION? >> no >> OTHER (please specify)? >> >> >> >> SYNOPSIS: >> >> Upgraded to 5.4.2. can't use TP_Reactor with Service Configurator >> Framwork >> >> DESCRIPTION: >> >> I upgraded to 5.4.2 as Doug asked but this did not help. >> >> Ran and studied the TP_Reactor example from C++Npv2 and >> purchased the book. >> >> In the examples from C++Npv2 the TP_Reactor runs in main() and works >> fine. Is there an example of using it with an appliction that loads a >> TP_Reactor service using the Service Configurator Framwork? I'm not su...

RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4. Rainer > -----Original Message----- > From: Tom Yu [mailto:tlyu@mit.edu] > Sent: Tuesday, January 11, 2005 11:12 AM > To: Wyllys Ingersoll > Cc: Heilke, Rainer; kerberos@mit.edu > Subject: Re: MIT Kerberos and Solaris 10 Kerberos > > > >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes: > > Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > Wyllys> MIT uses a slightly different RPC protocol. > > [...] > > Wyllys> There have been patches submitted to the MIT codebase to make > Wyllys> it able to support RPCSEC_GSS (and thus interop with > Solaris kadmin), > Wyllys> but Im not sure if those are in the latest release or not. > > RPCSEC_GSS support will be present in krb5-1.4 (currently in beta). I > have done a brief successful interop test against SEAM's kadmin > protocol. Independent confirmation would be useful. > > ---Tom > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Re: Save and Re-Use a File Equation #4
Problem is, the same filename is used for all print files. We have no = control of the filename - it came with the package. =20 !job... .. !file APPRINT=3DreportA;dev=3D<entered parameters> !run program A !file APPRINT=3Dchecks;dev=3Dlp;forms=3Dmount checks !run program B !file APPRINT=3DreportC;dev=3D<entered parameters> !run program C .. !eoj ________________________________ From: HP-3000 Systems Discussion on behalf of Reid Baxter Sent: Mon 4/4/2005 9:46 AM To: HP3000-L@RAVEN.UTC.EDU Subject: Re: [HP3000-L] Save and Re-Use a File Equation Jay, If i...

Re: (Ab)use of Javascript; was Re: Web Services Increasingly Under
Our moderator wrote: > [TELECOM Digest Editor's Note: Would you rather see sites which use > Javascript switch to using cookies? Both Amazon and Google, to use > your two examples, make liberal use of cookies to keep track of > users. PAT] Absolutely! Cookies can't open and close windows in my browser or run malicious software on my machine. I can restrict the lifetime of cookies; in fact, I can refuse to store cookies on my system for any longer than the current session. And as far as I can tell, I can run amazon.com (the non-SSL part) and google.com under Lynx, refusing all cookies altogether. Google and Amazon are going to have to store any tracking information about me on their own servers. (Which is certainly what the Bush administration is hoping they will do.) George Mitchell [TELECOM Digest Editor's Note: You have a good point there. PAT] ...

Web resources about - Re: Denial of service when using Active Directory for KDC ? #4 - comp.protocols.kerberos

Wikipedia:Quick directory - Wikipedia, the free encyclopedia
This page is a handy directory to various locations of interest in Wikipedia. Only dynamic pages should be listed here, no policy pages etc. ...

Wikipedia:WikiProject Council/Directory - Wikipedia, the free encyclopedia
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. , a non-profit organization.

Business Directory Listings: Eight Smart Tips for You to Get Started
If you are considering a business directory listing for your small business, congratulations – you are on the right track. Local SEO, local customers, ...

Atlas Partner Directory Launched
... just for Facebook and Instagram –advertising platform Atlas has one, as well. On that note, Atlas Tuesday introduced the Atlas Partner Directory ...

Slack announces App Directory store
... create more apps for the store, and a new framework called Botkit which should simplify the process of creating apps. The Slack App Directory, ...

Amazon brings Microsoft users into AWS with Active Directory service
Amazon has launched an AWS Directory Service for Active Directory , a fully managed implementation of Microsoft's authentication and user management ...

Security Recruiter Directory
To find the right security job or hire the right candidate, you first need to find the right recruiter. CSO's security recruiter directory is ...

'Twitch Plays' directory makes it easy to find new games
The huge success that is TwitchPlaysPokemon gave rise to a number of other Twitch Plays games, and the video platform wants to make sure you ...

Slack's New Directory And Venture Fund Aim To Make The Service Even More Indispensable
The workgroup wunderkind is helping users find useful tools within the service—and giving startups money to create new ones. Two key facts about ...

LDAP Directory Metadata ETL
WhereHows - Data Discovery and Lineage for Big Data Ecosystem

Resources last updated: 3/10/2016 2:43:36 PM