RE: is that common to use kerberos authentication for SUN iplanet LDAP server?
Whether a directory can do SASL/GSSAPI data privacy and/or integrity is directory server specific. Some directories (AD) support privacy and/or integrity protection. Others (Sun) don't, so you must use SSL. One other thing to be aware of is that clients and downgrade the privacy and integrity protection. If clients can do downgrade the data protection, it makes me wonder if an attacker can downgrade the session. I haven't looked into it enough. -dan -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Markus Moeller Sent: Thursday, September 01, 2005 1:24 PM To: kerberos@mit.edu Subject: Re: is that common to use kerberos authentication for SUN iplanet LDAP server? Craig, you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption too. What was the reason not to use SASL/GSSAPI with encryption. And example is AD, which can be accessed via SASL/GSSAPI with encryption. Thanks Markus "Craig Huckabee" <huck@spawar.navy.mil> wrote in message news:4316DEC8.5060809@spawar.navy.mil... > Kent Wu wrote: >> >> So my question is that is it pretty easy to enable Kerberos for SUN >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? > > We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy > against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary versions > they sold previously also use MIT Kerber...

RE: is that common to use kerberos authentication for SUN iplanet LDAP server?
You can use Sun's Directory server with non Sun kdc, you just have to have SEAM (Sun's Kerberos) setup on the director server (ie - it needs the client libs). If you have an install on Solaris 9 or 10 I don't even then you need to install anything - the Kerberos libs are already there. (You will have to run the directory server on a Solaris box). See http://docs.sun.com/source/817-7613/ssl.html -dan -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Kent Wu Sent: Wednesday, August 31, 2005 3:29 PM To: kerberos@mit.edu Subject: is that common to use kerberos authentication for SUN iplanet LDAP server? Hi guys, Does anyone have experience on this to share? I've set up a SUN LDAP server and it's running fine by using simple authentication so far. Of course I want to make it more secure (to protect the password while binding to LDAP server) so I'm thinking either MD5-Digest or Kerberos. However looks like SUN LDAP itself doesn't have kerberos abilities and I have to install SEAM (Sun Enterprise Authentication Mechanism) separately to enable Kerberos..... So I was thinking that if I can easily configure SUN LDAP to use MD5-digest then that should be the easiest however it seems that I have to store the password as plain-text in LDAP server to enable MD5-digest and I don't want to do that (Let me know if there are other easier ways to enable MD5-digest). So my question is th...

is that common to use kerberos authentication for SUN iplanet LDAP server?
Hi guys, Does anyone have experience on this to share? I've set up a SUN LDAP server and it's running fine by using simple authentication so far. Of course I want to make it more secure (to protect the password while binding to LDAP server) so I'm thinking either MD5-Digest or Kerberos. However looks like SUN LDAP itself doesn't have kerberos abilities and I have to install SEAM (Sun Enterprise Authentication Mechanism) separately to enable Kerberos..... So I was thinking that if I can easily configure SUN LDAP to use MD5-digest then that should be the easiest however it seems that I have to store the password as plain-text in LDAP server to enable MD5-digest and I don't want to do that (Let me know if there are other easier ways to enable MD5-digest). So my question is that is it pretty easy to enable Kerberos for SUN LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? Thanks a lot in advance ! P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal however I kinda think it's an overkill since I don't really need to protect all the LDAP transactions except for the password part... -Kent ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Kent Wu wrote: > > So my question is that is it pretty easy to enable Kerberos > for SUN LDAP after installing SEAM? Or can SUN LDAP use other > KDC a...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

Microsoft SSPI error
Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to m...

RE: Kerberos vs. LDAP for authentication -- any opinions? #2
Harry, others, The SASL/GSS mechanism supported by the LDAP server is used to securely access the directory. Using SASL/GSS and LDAP does not help authenticate a user so he/she can use an application which then presents the users identity to another application components in a secure manner - this is one of the many requirements for application security which Kerberos is idealy suited. I think we need to compare the LDAP directory and Kerberos protocol in order to answer the original question asked. Admitedly, if SASL/GSS is used to securely access a directory so that a password can be read and compared, then LDAP can be used to authenticate a user. I have provided a short list of some differences, not necessarily a complete list so maybe others on this email discussion can add comments and think of other important differences ? LDAP server for user authentication - can be used to store password + other information about users. - useful for simple user authentication requirements where checking of password is all that is required. Kerberos for user authentication - uses security credentials which have a lifetime - LDAP does not have this capability - built in prevention from network replay attacks and protect against other network security concerns - LDAP does not protect against these issues - removes the need to pass any form of password across a network - LDAP requires password transmission - A protocol that alows support for userid/password, token card, smart card au...

Re: [LDAP] Speeding up authentication using ldap #2
On 3/19/2006 1:43 PM, davideyeahsure@onlyforfun.net wrote to All: -> Every server use his own LDAP server to authenticate, if that is down, there -> are two 'backup' servers (the nearest). The same result is obtained even in a -> test environment with one server running the LDAP server on his own. Oh ok, so redundant LDAP servers then. On 2006-03-22, Robert Wolfe <robert.wolfe@net261.com> wrote: > Oh ok, so redundant LDAP servers then. Yes. No, I don't think that the problem is a slow connection to the server, as said, the same result is obt...

Unable to run SASL using GSSAPI/kerberos 5 as authentication against Sun One Directory Server
I am tring to run the same example that Microsoft has given for authentication. I am tring this sample against SEAM and not AD. FYI: I am able to run gssapi samples successfully. Also /var/Sun/mps/shared/bin/ldapsearch -o mech=GSSAPI -h blade -p 389 -o realm="quark.co.in" -o authzid="test@QUARK.CO.IN" -b "ou=people,dc=quark,dc=co,dc=in" objectclass=* runs well So I know that I do not have installing probs. Though I am abl to get the ticket still error.txt(attaches is the output) $klist Ticket cache: /tmp/krb5cc_1023 Default principal: test@QUARK.CO.IN Valid starting Expires Service principal Fri Feb 27 20:22:14 2004 Sat Feb 28 04:22:14 2004 krbtgt/QUARK.CO.IN@QUARK.CO.IN Fri Feb 27 20:26:52 2004 Sat Feb 28 04:22:14 2004 ldap/blade.quark.co.in@QUARK.CO.IN Any small hint shall also be of great use. ---------------------------Output at full log traceLevel----------------------------- ldap_open ldap_init nsldapi_open_ldap_connection nsldapi_connect_to_host: blade:389 sd 4 connected to: 10.91.198.100 ldap_open successful, ld_host is (null) LDAP service name: ldap@blade ==> client_establish_context Sending init_sec_context token (size=466)... 60 82 01 ce 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 01 bd 30 82 01 b9 a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 01 01 61 81 fe 30 81 fb a0 03 02 01 05 a1 0d 1b 0b 51 55 41 52 4b 2e 43 4f 2e 49 4e a2 24 30 22 a0 03 02 01 03 a1 1...

RE: MIT Kerberos and Solaris 10 Kerberos #2
BTW, as a further clarification, the system was installed initially using our MIT Kerberos build (i.e. the same as we use on all of the Solaris 8 machines). I am now trying to get it to work with the Solaris 10 SEAM. One problem I see immediately (refreshing my memory with a couple quick tests) is that, when using the Sol10 SEAM to install the keytab, I immediately get: # kadmin -p rheilke/admin Authenticating as principal rheilke/admin@ATCOTEST.CA with password. Password for rheilke/admin@ATCOTEST.CA: kadmin: ktadd host/salty.atcotest.ca kadmin: Communication failure with server while changing host/salty.atcotest.ca's key kadmin: So, the Sol10 SEAM cannot seem to talk to the KDC. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: > BTW, as a further clarification, the system was installed initially > using our MIT Kerberos build (i.e. the same as we use on all of the > Solaris 8 machines). I am now trying to get it to work with the Solaris > 10 SEAM. > > One problem I see immediately (refreshing my memory with a couple quick > tests) is that, when using the Sol10 SEAM to install the keytab, I > immediately get: > > # kadmin -p rheilke/admin > Authenticating as principal rheilke/admin@ATCOTEST.CA with password. > Password for rheilke/admin@ATCOTEST.CA: > kadmin: ktadd host/salty.atcotest.ca > kad...

Re: Re: Problem with LDAP Referrals and Kerberos LDAP Backend
Hello together, It seems that not much people use LDAP Referal together with MIT Kerberos. Never the less the missing support ("feature") is something I really need. Is it possible that anybody of the developers adds this functionality? If not: Greg, could you please precise the places or try to add it? I can do the necessary tests. Best regards Chris On 11/03/2013 03:13 PM, Christopher Racky wrote: > I don't understand why this behavior is expected. For my opinion this > is a bug. It's simplest to think of this as a missing feature. If I read the code correctly, callers of the OpenLDAP library follow referrals using anonymous binds by default. With additional effort, callers can control how referrals bind. Although I believe I know roughly how the preferred behavior could be implemented, it would not be trivial to develop or test, so I can't give you any guarantees as to when it might happen. - Hello Greg, Thank you very much for your reply. I don't understand why this behavior is expected. For my opinion this is a bug. I would expect that after processsing referrals the same credentials are still reused. Is that a missunderstanding on my side? If not: it seems to be, that you know very exactly the place where this must be fixed. I'm not sure if you are a developer. If yes, do ...

RE: Linux authentication using Kerberos and AD
Also, I believe that you must either put the user into NIS or the local files, you do not have to have a shadow entry in local files. I have not tried via NIS yet. On the MS side you do not need AD4Unix. You need to install the current service packs, if 2000 you need the high encryption pack, and Microsoft services for UNIX 3.5 I think is the current version. In the AD user management tool you need to go to the UNIX tab and add that user to NIS. Make sure the uid and gid match what you put into the passwd file. On your Linux client you need a ldap.conf something like this... host yourhost base dc=your,dc=ad,dc=domain ldap_version 3 binddn cn=yourldapauthorizedaccount,cn=Users,dc=your,dc=ad,dc=domain bindpw aboveuserspw pam_password ad nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uniqueMember member nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup group nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute gecos displayName nss_map_attribute loginShell msSFU30LoginShell pam_login_attribute msSFU30Name pam_filter objectclass=User You need to configure your files in /etc/pam.d properly You need to add ldap to /etc/nsswitch.conf Of course you have to setup krb5.conf kdc.conf -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mi...

RE: Kerberos vs. LDAP for authentication -- any opinions?
Normally, it is not allowed client user to modify password, but LDAP server login admin user will be able to do it. Actually, LDAP server is an authentication service provider. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Harry Le Sent: Wednesday, January 28, 2004 2:30 PM To: kerberos@mit.edu Subject: RE: Kerberos vs. LDAP for authentication -- any opinions? Not entirely true. Most LDAP servers now support the SASL/GSSAPI mechanism. It uses Kerberos V5 credentials to authenticate users against LDAP directories. This will not require users to change passwords. For data privacy, use SSL. Joseph -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Jeffrey Altman Sent: Wednesday, January 28, 2004 11:19 AM To: kerberos@mit.edu Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? LDAP is not an authentication infrastructure. All you are doing with LDAP is providing a database of usernames and passwords which is accessible over the network. Your users must then transmit said usernames and passwords across the network to a potentially compromised machine in order for them to be validated against the copies stored in LDAP. To me this approach is unacceptable. cyberp70@yahoo.com wrote: > At the risk of starting a religious war.... > > We currently use Kerberos for authentication for almost everything on > our network. Some ...

RE: encryption algorithm used by kerberos #2
Sam Hartman wrote: > * Cibersafe supports a 3DES incompatible with the rest of the world This is not strictly true, especially considering the many PacketCable and CableHome implementations on the market and their use of the same 3DES cipher suite as the CyberSafe products. To clarify this I have provided a more complete list of 'modern' Kerberos implementations to avoid any miss-interpretation of Sam's reference to this : MIT - 3DES with HMAC/SHA1 digest - AES - RC4 with HMAC Heimdal - 3DES with HMAC/SHA1 digest - AES - RC4 with HMAC Microsoft - RC4 with HMAC CyberSafe (www.cybersafe.ltd.uk) - 3DES with MD5 digest - RC4 with HMAC (available very soon ...) - AES (available very soon ...) IPFonix (www.ipfonix.com) - 3DES with MD5 digest (The requirement for 3DES with MD5 digest is documented on page 62 of PacketCable security specification) Jungo (http://www.jungo.com/openrg/rgcablehome.html) - 3DES with MD5 digest (Uses similar security standards as PacketCable) Summary: With the large number of vendors involved in PacketCable/CableHome (there are too many to list here) it is clear that the 3DES cipher with MD5 digest (as supported by CyberSafe) is here to stay for a very long time. Today, with RC4 support many of the above Kerberos implementations can work well with with Microsoft AD, however the long term desire is for all implementations to use AES as a default/preference instead of RC4. Currently there is no standard for AES with GSS-API/SSPI -...

RE: MIT Kerberos and Solaris 10 Kerberos
> possibly 'su' with pam_krb5 for the authentication. Its not quite > the same as 'ksu', though. Douglas says the same. The su man page indicates something about this, but not a lot of details there. I'll look into this further. As far as a co-worker is concerned (and in our environment, I can see his point), this would be a show stopper. We use ksu for all sorts of things, including giving DBA's access to Oracle ID's. Thanks again for all of the help. I'll go through the su and pam.conf man pages, and see if I can figure it out. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: >>possibly 'su' with pam_krb5 for the authentication. Its not quite >>the same as 'ksu', though. > > > Douglas says the same. The su man page indicates something about this, > but not a lot of details there. I'll look into this further. As far as a > co-worker is concerned (and in our environment, I can see his point), > this would be a show stopper. We use ksu for all sorts of things, > including giving DBA's access to Oracle ID's. > > Thanks again for all of the help. I'll go through the su and pam.conf > man pages, and see if I can figure it out. Make sure you have a root window open before testing PAM. I stumbled on this when I tried to su and my t...

Re: kerberos for Microsoft IIS/any http server? #2
Sanjay, You should also check out http://sourceforge.net/projects/modgssapache/ and http://sourceforge.net/projects/modauthkerb. I recently added support for Apache 1.3 to mod_spnego, which is part of http://sourceforge.net/projects/modgssapache/. After these changes are tested on Linux, documented (in mod_spnego/readme.txt) and packaged (which should happen next week), mod_spnego will support Apache 1.3 and 2.0 on Linux, Solaris and Windows. Frank >From: Wyllys Ingersoll <wyllys.ingersoll@sun.com> >Reply-To: wyllys.ingersoll@sun.com >To: Sanjay <sanjay@cisco.com> >CC: kerberos@MIT.EDU >Subject: Re: kerberos for Microsoft IIS/any http server? >Date: 25 Nov 2003 16:56:40 -0500 > > >Check out http://negotiateauth.mozdev.org >This guy has an extension for mozilla for supporting >Microsoft's Negotiate mechanism. However, his version >currently only supports Heimdal's Kerberos/GSSAPI. >This site also has links to Apache plugins which support >the IIS negotiate method. > >Also take a look at >http://bugzilla.mozilla.org/show_bug.cgi?id=17578 > >I posted a more generalized patch for Mozilla which *should* >be able to compile with Heimdal, MIT, or Solaris Kerberos >implementations. It likely will not appear in Mozilla >until release 1.7, though. In the meantime, extensions for >Mozilla 1.5 (and 1.6) should start appearing sometime >in the near future. > >You don't mention...

Re: Problem using Kerberos for user authentication -- ChallengeResponseAuthentication
Hi all, We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We have found that if we set ChallengeResponseAuthentication yes in sshd_conf the result is no TGT ticket is created when a user logs in by ssh. This problem is detailed in a Debian bug report here; we don't see it having ever been fixed in redhat http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734 Setting PasswordAuthentication yes does work, at least in our environment. If anyone has any further information on this we'd appreciate it. Cheers, Steve On Wed, Nov 11, 2009 at 11:2...

RE: Kerberos vs. LDAP for authentication -- any opinions? #3
Peter, Thankyou for the explanation. I was trying to keep my answer relatively simple to avoid any unnecessary technical detail and hence over complicate the answer to the original question asked. Anyway, Kerberos is useful for more than just SSO (or SSSO) when comparing with LDAP, this is why I provided a long list of differences in my email. In fact LDAP and Kerberos are complimentary and not competitive technologies. Thanks, Tim. -----Original Message----- From: Peter Gietz [mailto:peter.gietz@daasi.de] Sent: 29 January 2004 16:58 To: Tim Alsop Cc: Harry Le; kerberos@mit.edu Subject: Re: Kerberos vs. LDAP for authentication -- any opinions? Tim, Your view on LDAP may be a little too simplified. There is a whole variety of authentication mechanisms that you can use within LDAP, userdn/cleartext password (=simple bind) being only the most useless and unrecommended by the standards. The minimal recomendation is to use that simple bind within a TLS encrypted session, but there are other mechanisms in LDAP implementations which all use the SASL framewrk. The IMHO most important SASL mechanism are: - DIGEST MD5 a challenge response mechanism, where the actual password will not be sent through the net. This is also mandatory to implement in standard conforming LDAP - GSSAPI using the Kerberos 5 mechanism, which was allready mentioned in this thread, and is implemented in at least some LDAP implementations, like OpenLDAP. Any other SASL mechanisms could also be used,...

Re: Is it required to use GSSAPI code for the Kerberos Server Auth?
Hi Team, Could you please let me know your thoughts on the below mentioned issue. Point #1 ---------- I am working on SA (Server Authentication) feature of Kerberos. - Is it required to port GSSAPI code for this feature of SA? - If so, where should I use this mechansim in kerberos client code? That means, between TGS_REP and AP_REQ? - What is the exact procedure to use the GSSAPI code? I am using MIT code and Linux Serevr (sendmail server, SMTP as the Application server, ie I need to do server authenticatio for that SMTP server. POINT#2: ---------- I tried by sending AP_REQ to SMTP server successfuly but I could not recevice the AP_REP successfuly. I think AP_REQ packet is not properly understood by SMTP server since I have not been using the GSSAPI code in my implementation. So should I port the GSSAPI code in to my code base and do SA?? POINT#3: ====== - Is the following statement reight? Kerberos Server Authentication is not supported by Windows 2003/2000 exchange SMTP server. Kerberos SA can be done (only) with LINUX/Unix- Send mail SMTP server. Is this statement true???? Could you please throw some light on the same? Thank you, -Surendra ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Surendra Babu A wrote: > Hi Team, > > Could you please let me know your thoughts on the below mentioned issue. > > ...

Authenticate Using Multiple LDAPs Sun One Web Server
I am wondering if it is possible to configure Sun One Web Server to authenticate users against more than one LDAP server. For example, if a user is in either one of two LDAP servers (active directory or Aphelion), they will be granted access to the web site. B Dolley wrote: > I am wondering if it is possible to configure Sun One Web Server to > authenticate users against more than one LDAP server. For example, if > a user is in either one of two LDAP servers (active directory or > Aphelion), they will be granted access to the web site. Dear Mr. B :-) I'm not familiar with aph...

Forcing the use of kerberos by ldap clients when connecting to an openldap server
Hello all, I have an openldap server that successfully authenticates against a kerberos setup: [jamie@janeiro ~]$ ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: jamie@example.com SASL SSF: 56 SASL installing layers dn:uid=jamie,ou=people,dc=example,dc=com Result: Success (0) When I do not put -Y GSSAPI in, I get: [jamie@janeiro ~]$ ldapwhoami ldap_sasl_interactive_bind_s: No such object (32) Is it possible to force the client or server to use GSSAPI for authentication, so I don't need to write it every time. In my slapd.conf file I have: TLSCertificateFile /etc/openldap/cacerts/newcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem .... sasl-secprops noanonymous,noplain,noactive saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid= $1,ou=people,dc=example,dc=com In particular this sasl-secprops is (according to the website I pilfered that line off) in theory will force the use of GSSAPI, but in practice it doesn't. The reason I wish to force GSSAPI is to make a java app I need to interoperate with use the right mechanism (i.e. GSSAPI), and hence authenticate against kerberos via LDAP rather than authenticate against ldap only. Thanks for any help. Jamie Actually I'm a putz, What I was trying to do would never have worked! authentication against LDAP using GSSAPI requires the user to have already signed into a kerberos realm and have a token. In my setup, that token was not available (the user never signs in), hence it'...

RE: Server not found in Kerberos database error on ldapsearch #2
I don't know, if I got you right (I'm not quite good in networks and especially AD; thats a new thing for me, so I'm a noob) So I just ask again: Douglas E. Engert wrote > > I captured the request dialog with wireshark and got this > (the things I think > > are important): > > > > MSG Type: KRB-ERROR > > Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) > > Realm: EXAMPLE.COM > > Server Name (Unknown): krbtgt/COM > > Name-type: Unknown (0) > > Name: krbtgt > > Name: COM > > This looks like cross realm, where the client is working its > way up the realm > tree to get the the realm of the server, say AD.DOMAIN.COM. > Client is using TGT > from EXAMPLE.COM to get TGT for realm COM (which does not > exist) If it did, it > would then try and get a TGT from COM for DOMAIN.COM, then > get one from > AD.DOMAIN.COM and the get service ticket from AD.DOMAIN.COM. > > I thought you where trying to use Active Directory, and the > domain name > was something like ad.domain.com. So why does you unix system have > a realm named EXAMPLE.COM? Have you setup cross realm trust > between them? > > If you are not using cross-real, then you should be using the > AD domain name as > the realm name. It should have a realm named AD.DOMAIN.COM. > Either the user and server must be in the same realm, or you > need cross realm > trust. The domai...

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

PIX 7.2 VPN with kerberos / ldap authentication and authorization
anyone ever did this configuration with a ver 7.2 ?; i can make it work :? what i am trying to do is: vpn users from windows xp; connecting to pix through L2TP and authenticating to the active directory servers in the inside interface. On Wed, 23 Aug 2006 05:09:32 -0700, XaBi wrote: > anyone ever did this configuration with a ver 7.2 ?; i can make it work > :? > > what i am trying to do is: > > vpn users from windows xp; connecting to pix through L2TP and > authenticating to the active directory servers in the inside interface. First, look here - http://www.cisc...

Re: Is there P.A.M. or Kerberos authentication support in IDS? #2
There is PAM support starting with IDS 9.40.UC2, on SOL32, SOL64, HP32, AIX32, and Linux. You could also use ESQL/C as the client , starting CSDK2.81.UC2 (ESQL - 9.53.UC2) . The client has support for PAM on all platforms. Read http://www-106.ibm.com/developerworks/db2/zones/informix/library/techarticle/0306mathur/0306mathur.html for more information. Thanks and Regards, Abhi. -------------------------------------------------------------------- There are 10 kinds of people,,,,, ..... those who understand binary notations, and those who don't. -------------------------------------------------------------------- "Jim Cramer" <jcramer@engineering.uiowa.edu> Sent by: owner-informix-list@iiug.org 01/22/2004 02:15 PM Please respond to "Jim Cramer" To: informix-list@iiug.org cc: Subject: Is there P.A.M. or Kerberos authentication support in IDS? Hi all, We do not wish to use the age-old, insecure, arcane Unix login authentication method that hits against the /etc/passwd file when logging into our IDS servers. Instead, we would like to use a centralized, networked authentication/account server such as a Kerberos Domain Controller. Specifically, my question is: does anyone know of any support in Informix Dynamic Server for use of either P.A.M. (Pluggable Authentication Module) (Kerberos is one authentication plugin module that works with t...