f



RE: Kerberos error 52 (0x34) when using kinit

Hello Douglas,
Thanx for the response. I'll get the latest version from MIT and try
again.

Regards,
Bruce. 

-----Original Message-----
From: Douglas E. Engert [mailto:deengert@anl.gov] 
Sent: Friday, December 10, 2004 8:57 AM
To: Wells, Bruce
Cc: kerberos@mit.edu
Subject: Re: Kerberos error 52 (0x34) when using kinit



Wells, Bruce wrote:

> Hello All,
> I'm getting the above error when I try to get the initial ticket using

> kinit. The KDC is Windows 2003 and the client is running on linux. My 
> understanding of kerberos and the KDC in particular is that if the KDC

> can't send the response back via UDP it will switch over to TCP. My 
> question is this: Does the client need to programmactically take an 
> action if it recieves this error or will this be taken care of "under 
> the hood"? Also the client side (linux), is there a way to force the 
> communication to occur using TCP?

Depends on the release of the Kerberos. MIT 1.2.x did not support TCP,
1.3.x does. Its a recent addition to Java as well. Theylibs wil switch
as needed.

The krb5.conf [libdefaults] udp_preference_limit = nnn can be used to
tell the client to use TCP if the message is over nnn bytes. Setting to
1 in effect says try TCP first.

The problem is the ticket is large due to the PAC being included from
AD.
(IIRC) W2003 servers have a lower cut over size then W2000 servers.

> 
> TIA,
> Bruce E. Wells
> 
> ----------------------------------------------------------------------
> --
> -------------------------
> -------------------------
> 
> CONFIDENTIALITY AND SECURITY NOTICE
> 
> This e-mail contains information that may be confidential and 
> proprietary. It is to be read and used solely by the intended 
> recipient(s).
> Citadel and its affiliates retain all proprietary rights they may have

> in the information. If you are not an intended recipient, please 
> notify us immediately either by reply e-mail or by telephone at 
> 312-395-2100 and delete this e-mail (including any attachments hereto)

> immediately without reading, disseminating, distributing or copying. 
> We cannot give any assurances that this e-mail and any attachments are

> free of viruses and other harmful code. Citadel reserves the right to 
> monitor, intercept and block all communications involving its computer

> systems.
> 
> 
> 
> 
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
-------------------------------------------------------------------------------------------------
-------------------------

CONFIDENTIALITY AND SECURITY NOTICE

This e-mail contains information that may be confidential and 
proprietary. It is to be read and used solely by the intended recipient(s). 
Citadel and its affiliates retain all proprietary rights they may have in the 
information. If you are not an intended recipient, please notify us 
immediately either by reply e-mail or by telephone at 312-395-2100 
and delete this e-mail (including any attachments hereto) immediately 
without reading, disseminating, distributing or copying. We cannot give 
any assurances that this e-mail and any attachments are free of viruses 
and other harmful code. Citadel reserves the right to monitor, intercept 
and block all communications involving its computer systems.








________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
12/10/2004 5:56:37 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
624 Views

Similar Articles

[PageSpeed] 16

Reply:

Similar Artilces:

Kerberos error 52 (0x34) when using kinit
Hello All, I'm getting the above error when I try to get the initial ticket using kinit. The KDC is Windows 2003 and the client is running on linux. My understanding of kerberos and the KDC in particular is that if the KDC can't send the response back via UDP it will switch over to TCP. My question is this: Does the client need to programmactically take an action if it recieves this error or will this be taken care of "under the hood"? Also the client side (linux), is there a way to force the communication to occur using TCP? TIA, Bruce E. Wells ------------------------------------------------------------------------ ------------------------- ------------------------- CONFIDENTIALITY AND SECURITY NOTICE This e-mail contains information that may be confidential and proprietary. It is to be read and used solely by the intended recipient(s). Citadel and its affiliates retain all proprietary rights they may have in the information. If you are not an intended recipient, please notify us immediately either by reply e-mail or by telephone at 312-395-2100 and delete this e-mail (including any attachments hereto) immediately without reading, disseminating, distributing or copying. We cannot give any assurances that this e-mail and any attachments are free of viruses and other harmful code. Citadel reserves the right to monitor, intercept and block all communications involving its computer systems. _______________________________________...

RE: kerberos error code 0x34
According to the MS Error Lookup tool, this is RESPONSE_TOO_BIG. See http://www.microsoft.com/downloads/details.aspx?FamilyId=BE596899-7BB8-4 208-B7FC-09E02A13696C&displaylang=en if you happen to be interested in this nifty but little-known gadget. Win2k and WS03 KDCs return this error when the kerberos response can't fit in a UDP packet, so it expects the client to retry with TCP. IIRC, recent versions of mitkrb5 support kerberos over TCP (I don't know what version exactly-- MIT guys?), so upgrading the non-Windows portion of your kerberos installation should get around this. --- This message is provided "AS IS" with no warranties, and confers no rights. This message may originate from an unmonitored alias ("davespam") for spam-reduction purposes. Use "davidchr" for individual replies. Any opinions or policies stated within are my own and do not necessarily constitute those of my employer. This message originates in the State of Washington (USA), where unsolicited commercial email is legally actionable (see http://www.wa-state-resident.com). Harvesting of this address for purposes of bulk email (including "spam") is prohibited unless by my expressed prior request. I retaliate viciously against spammers and spam sites. > -----Original Message----- > From: kerberos-bounces@mit.edu > [mailto:kerberos-bounces@mit.edu] On Behalf Of AD GOES > Sent: Wednesday, March 03, 2004 2:05 PM > To: kerberos@mit.e...

Error while using kerberos
Hi, I am trying to use KTELNET application from windows XP machine (kerxp1) to a Red Hat Linux server 4.0 machine (kerlnxsvr). Both XP machine & linux machine are JOINED to the KERDOM.COM domain. (i think that it should not matter whether i use somebody's application or create my own. Errors might be same for all.) here's my /etc/krb5.conf file on kerlnxsvr: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = KERDOM.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] KERDOM.COM = { kdc = KERDOMGDC01.KERDOM.COM default_domain = KERDOM.COM admin_server = KERDOMGDC01.KERDOM.COM } [domain_realm] .kerdom.com = KERDOM.COM kerdom.com = KERDOM.COM [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } --------- /var/kerberos/krb5kdc/kdc.conf file on kerlnxsvr: [kdcdefaults] acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = nopreauth [realms] KERDOM.COM = { master_key_type = des-cbc-crc supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 } I created a user kerlnxsvr & t...

RE: Kerberos error
Can you explain a little more about your setup? It sounds like you have a machine named FIRM joined to a domain named firm.com. Is that correct? Is it possible that the FIRM$ account has had its password reset through administrative means? --- This message is provided "AS IS" with no warranties, and confers no rights. This message may originate from an unmonitored alias ("davespam") for spam-reduction purposes. Use "davidchr" for individual replies. Any opinions or policies stated within are my own and do not necessarily constitute those of my employer. This message originates in the State of Washington (USA), where unsolicited commercial email is legally actionable (see http://www.wa.gov/ago/junkemail). Harvesting of this address for purposes of bulk email (including "spam") is prohibited unless by my expressed prior request. I retaliate viciously against spammers and spam sites. > -----Original Message----- > From: kerberos-bounces@mit.edu > [mailto:kerberos-bounces@mit.edu] On Behalf Of Renzi, Gary > Sent: Wednesday, June 25, 2003 12:50 PM > To: kerberos@mit.edu > Subject: Kerberos error > > I am a MCSE at CTA in Honolulu Hawaii. I have run into this > message and > error , have search and search for a resolution, have yet to find any > reference to the error or anyone at Microsoft that can help me. After > reading your article " Kerberos: The Network Authentication > Proto...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

RE: MIT Kerberos and Solaris 10 Kerberos #3
Thanks for the response. Please see inline... > In Solaris 10, all of the Kerberos services are already bundled, > there is no longer any external packages that need to be added. Right. > Whoever told you 'ksu' was part of the encryption kit was mistaken, > ksu has never been part of SEAM. OK, thanks for that clarification. It was a bit of a surprise to me when I was told it was there. So, does the Solaris 10 SEAM have any functionality similar to ksu, or just the standard su command? > The encryption kit for Solaris 10 enhances the overall crypto > capabilities of the system, the only benefit Kerberos gets is > that it can support AES-256 with the S10 encryption kit. > Without the S10 encryption kit, the strongest AES crypto > available for Kerberos in S10 is AES-128. And this fits more with what I understood, before my co-worker's comments. > On the S10 system, you must make sure to enable the "eklogin" service. > Run this command (as root): > > # svcadm enable eklogin Hmm. That may be a good part of my problem. I added the inetd.conf entry for the old (MIT) eklogin, and ran inetconv. So, this is probably really confusing the system. I'll try to revert that, and do the svcadm. > For Solaris 8 with the SEAM rlogin daemon, make sure your > inetd.conf entries > are correct. We don't actually run SEAM on any Sol8 systems; it's all MIT. > Don't bother with inetd.conf in S10, ...

RE: MIT Kerberos and Solaris 10 Kerberos #6
OK, I think I have fixed the services. I have: # svcs -v | grep login online - 13:25:02 35 svc:/system/console-login:default online - 13:25:11 - svc:/network/login:eklogin online - 13:25:12 - svc:/network/login:klogin online - 13:25:12 - svc:/network/login:rlogin (Just to make sure, those ARE the correct versions? The ones I removed looked like: # svcadm disable svc:/network/klogin/tcp:default # svcadm disable svc:/network/eklogin/tcp:default The first entry in the svcs listing is, I assume, my root console login via the terminal server.) Or did I cancel the wrong two? If I use the MIT rlogin to go to another server, this fails (and no message gets logged on the KDC). I expect this is correct behaviour (needing the SEAM version). So, where do I find the Solaris 10 SEAM version of rlogin? The rlogin in /bin seems to be the old, un-Kerberized one, or is this actually a Kerberized one? In which case, it never seems to get a connection, and again, doesn't log anything on the KDC. I can use the Solaris 8/MIT rlogin to go from one of the old Solaris 8/MIT systems to the Solaris 10 box. Thanks again. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos e@atcoitek.com wrote: > OK, I think I have fixed the services. I have: > # svcs -v | grep login > online ...

RE: MIT Kerberos and Solaris 10 Kerberos #2
BTW, as a further clarification, the system was installed initially using our MIT Kerberos build (i.e. the same as we use on all of the Solaris 8 machines). I am now trying to get it to work with the Solaris 10 SEAM. One problem I see immediately (refreshing my memory with a couple quick tests) is that, when using the Sol10 SEAM to install the keytab, I immediately get: # kadmin -p rheilke/admin Authenticating as principal rheilke/admin@ATCOTEST.CA with password. Password for rheilke/admin@ATCOTEST.CA: kadmin: ktadd host/salty.atcotest.ca kadmin: Communication failure with server while changing host/salty.atcotest.ca's key kadmin: So, the Sol10 SEAM cannot seem to talk to the KDC. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: > BTW, as a further clarification, the system was installed initially > using our MIT Kerberos build (i.e. the same as we use on all of the > Solaris 8 machines). I am now trying to get it to work with the Solaris > 10 SEAM. > > One problem I see immediately (refreshing my memory with a couple quick > tests) is that, when using the Sol10 SEAM to install the keytab, I > immediately get: > > # kadmin -p rheilke/admin > Authenticating as principal rheilke/admin@ATCOTEST.CA with password. > Password for rheilke/admin@ATCOTEST.CA: > kadmin: ktadd host/salty.atcotest.ca > kad...

kerberos error code 0x34
To Kerberos team. At the moment I am analysing a kerberos authorisating problem. Kerberos , installed on W2000 is sending back "kerberos error code 0x34" I look every where on the internet and I can not find the contents off this error code. It's also not in the RFC 1520. Do you know the contents off the "kerberos error code 0x34" Regards, ad goes Xerox Holland ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: MIT Kerberos and Solaris 10 Kerberos #5
> > Can we force the Sol10 box to only use DES, to be > compatible with the > > Sol8/MIT systems (which is everything but the one Sol10 box)? > > If you are using MIT Kerberos on the Solaris 8 systems (including > pam_krb5 made for MIT, not the one that comes with SEAM), then > you should not worry about the enctypes because MIT already > supports all of the enctypes that S10 supports. > > The only time you need to worry about enctypes is when you > are using pre-S10 systems with SEAM apps. IN that situation, > ONLY the pre-solaris 10 systems need to have the DES keys, > it is perfectly acceptable for the S10 systems to have AES > and S8/S9 to have DES. This should not affect interop if > your keytabs are correctly populated on the pre-S10 boxes. Excellent, thanks. That makes life significantly easier. > earlier comments, > > they already are DES; is that correct? > > > > Not necessarily. If your S8 systems are MIT, then you don't > really need to worry much about the enctype support because > MIT has support for all enctypes (DES through AES-256). Right, as per your comments above. :-) > If you use a 3rd party pam_krb5 library that links with MIT > Kerberos, then you should not have any enctype issues on > Solaris 8. We aren't using any Sol8 SEAM (all MIT, except for the new Sol10 box), using the MIT libs. > You may be seeing problems on your S8 systems because ...

RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4. Rainer > -----Original Message----- > From: Tom Yu [mailto:tlyu@mit.edu] > Sent: Tuesday, January 11, 2005 11:12 AM > To: Wyllys Ingersoll > Cc: Heilke, Rainer; kerberos@mit.edu > Subject: Re: MIT Kerberos and Solaris 10 Kerberos > > > >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes: > > Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > Wyllys> MIT uses a slightly different RPC protocol. > > [...] > > Wyllys> There have been patches submitted to the MIT codebase to make > Wyllys> it able to support RPCSEC_GSS (and thus interop with > Solaris kadmin), > Wyllys> but Im not sure if those are in the latest release or not. > > RPCSEC_GSS support will be present in krb5-1.4 (currently in beta). I > have done a brief successful interop test against SEAM's kadmin > protocol. Independent confirmation would be useful. > > ---Tom > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Using Solaris 10 built in Kerberos support with Kerberos application
In an attempt to use vendor provided Kerberos support where possible, we have been able to use the Solaris 10 Kerberos and the Solaris provided kinit, pam_krb5 and ssh or any application that uses Kerberos via GSSAPI. But we have a number of other Kerberos applications, including qpop for Kerberized pop service, aklog with OpenAFS and kerberized CVS. The problem is that Solaris only exposes Kerberos via GSSAPI, and does not provide the krb5.h files or the normal Kerberos libraries. *What I would like to ask SUN is to include the krb5.h and its friends with the Solaris 10 base system.* To get around this, http:/www.opesolaris.org/source/xref/usr/src/uts/common/gsspai/mechs/krb5/include has a krb5.h that appears to match the /usr/lib/gss/mech_krb5.so that comes with Solaris 10. (I actually downloaded the tarfile to get the header files.) I have managed to get qpop-4.0.5 and OpenAFS-1.4.0-RC1 aklog to compile and run using this krb5.h with some modification, and the MIT-1.4.1 profile.h and com_err.h. Some problems along the way: o mech_krb5.so has most of the Kerberos routines and can be used as a shared library, but is clumsy to link as its not a "libxxx" o The opensolaris krb5.h is not guaranteed to match the mech_krb5.so o The krb5.h refers to profile.h which is not supplied. o Many of the Kerberos applications also use com_err.h which is not supplied. o There is no com_err add_error_table. o Solaris does not have krb524. So aklo...

Re: handling of kerberos error in win2k
hi, I found a little light in my search, but haven't found a complete answer yet: When a user invoke the SAS sequence, winlogon will call GINA function: WlxWkstatLockedSAS, which in turn will call LsaLogonUser. LsaLogonUser does the authentication. If the authentication fails, it may return for example STATUS_LOGON_FAILURE (if username or password are wrong), STATUS_ACCOUNT_RESTRICTION (for example if the username and password are correct but the password has expired). In the later case, the LsaLogonUser will set SubStatus to STATUS_PASSWORD_EXPIRED. (I simplify the whole process to my own needs by the way, it should be more complicated than this) So I conclude (correct me if I'm wrong) that when the KDC returns KDC_ERR_PREAUTH_REQUIRED, LsaLogonUser will simply return STATUS_LOGON_FAILURE to GINA or STATUS_ACCOUNT_RESTRICTION when the KDC returns KDC_ERR_KEY_EXPIRED. In case of KDC_ERR_PREAUTH_REQUIRED, is there any way for GINA to know that the exact error code, and not just STATUS_LOGON_FAILURE ? -lara- --- Lara Adianto <m1r4cle_26@yahoo.com> wrote: > Hi, > > I'm experimenting with MIT KDC and windows 2000 as > the > client that authenticates to MIT KDC, and I might > need > to replace the GINA in the windows client in order > to > achieve what I want. > > Does anybody know, in windows 2000, who (LSA, GINA, > SSP) handles the following issue and how it is > handled > ? > 1. If the authentication is ...

Re: handling of kerberos error in w2k
>When KDC_ERR_PREAUTH_REQUIRED is returned by the KDC, >the client will examine the KRB_ERROR data to determine >if the client understands the desired type of >pre-authentication >data which is required. If it does, it will simply >return the >necessary information. If it does and requires user >input >the Kerberos SSP/AP will prompt the user for the >necessary >input. If the required pre-auth data cannot be >provided the >Kerberos SSP/AP will return a failure code to the LSA >which >in turn will log to the event log. >Jeffrey Altman thanks for the reply jeffrey, you mean it's the SSP who will prompt the user for input, and not the GINA ? Do you happen to know the name of the function which does that ? I can't find any in http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/authentication_functions.asp, I thought that SSP is supposed to tell GINA, so that GINA can invoke WlxDisplayStatusMessage or WlxMessageBox ? lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yah...

Re: encryption algorithm used by kerberos
Triple DES, RC4 and AES are supported by many Kerberos implementations, in addition to DES. -- Luke >From: <Kent_Wu@trendmicro.com> >Subject: encryption algorithm used by kerberos >To: <kerberos@mit.edu> >Date: Fri, 14 Nov 2003 16:43:29 -0800 > >Hi, > > In the kerberos authentication process, it does encryption a lot to guarantee the security. Hoever from the >materials I read it seems it's using DES encryption method behind it which is not considered safe anymore, so >are we going to use a more advanced algorithm or we've done that already? > >Thanks. > >Kent > >________________________________________________ >Kerberos mailing list Kerberos@mit.edu >https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Hi, I'm trying to setup an environment where people can use either win2k AD KDC or an MIT KDC. I can get AD to trust MIT KDC, but if I want to use samba it doesn't use this trust. Is there any way to synchronize passwords between MIT and AD? I would guess the answer is no.. But I thought I'm better off asking. If anyone has any ideas I'm all ears. Fergus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: Looking up Kerberos error codes
If you don't already have a mechanism for this, ERR.EXE is a great (Windows) tool for looking up error codes, including a good number of Kerberos errors: http://www.microsoft.com/downloads/details.aspx?FamilyId=BE596899-7BB8-4 208-B7FC-09E02A13696C&displaylang=en. > err /kerberr.h 13 # kerberr.h selected. # for decimal 13 / hex 0xd : KDC_ERR_BADOPTION kerberr.h # for hex 0x13 / decimal 19 : KDC_ERR_SERVICE_REVOKED kerberr.h # 2 matches found for "13" The constant names are probably different from mitkrb5, but they're usually similar enough to get the idea. I realize you may/may not have a Windows machine available for this purpose, but just in case. FYI. -Dave --- This message is provided "AS IS" with no warranties, and confers no rights. This message may originate from an unmonitored alias ("davespam") for spam-reduction purposes. Use "davidchr" for individual replies. Any opinions or policies stated within are my own and do not necessarily constitute those of my employer. This message originates in the State of Washington (USA), where unsolicited commercial email is legally actionable (see http://www.wa-state-resident.com). Harvesting of this address for purposes of bulk email (including "spam") is prohibited unless by my expressed prior request. I retaliate viciously against spammers and spam sites. > -----Original Message----- > From: kerberos-bounces@MIT.EDU > [mailto:kerberos-bo...

RE: MIT Kerberos and Solaris 10 Kerberos
Wohoo! I read the man page for rlogin, and it is both the old rlogin, and the new (or something like that). Seems that you just have to give it the correct switches, and it Kerberizes the command. So, I did: rlogin -AF <sol8server> and it works! Thank you to Wyllys for all of your help. Now I'm going to try installing from scratch, and make sure I do the build properly. One question left for Wyllys before I do, though. Since ksu doesn't exist in the Solaris SEAM product, is our only option su? Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: > Wohoo! > > I read the man page for rlogin, and it is both the old rlogin, and the > new (or something like that). Seems that you just have to give it the > correct switches, and it Kerberizes the command. So, I did: > > rlogin -AF <sol8server> > > and it works! > Excellent! > Thank you to Wyllys for all of your help. No problem, glad I could help. > > Now I'm going to try installing from scratch, and make sure I do the > build properly. > > One question left for Wyllys before I do, though. Since ksu doesn't > exist in the Solaris SEAM product, is our only option su? possibly 'su' with pam_krb5 for the authentication. Its not quite the same as 'ksu', though. -Wyllys ______________________________...

RE: Linux authentication using Kerberos and AD
Also, I believe that you must either put the user into NIS or the local files, you do not have to have a shadow entry in local files. I have not tried via NIS yet. On the MS side you do not need AD4Unix. You need to install the current service packs, if 2000 you need the high encryption pack, and Microsoft services for UNIX 3.5 I think is the current version. In the AD user management tool you need to go to the UNIX tab and add that user to NIS. Make sure the uid and gid match what you put into the passwd file. On your Linux client you need a ldap.conf something like this... host yourhost base dc=your,dc=ad,dc=domain ldap_version 3 binddn cn=yourldapauthorizedaccount,cn=Users,dc=your,dc=ad,dc=domain bindpw aboveuserspw pam_password ad nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uniqueMember member nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup group nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute gecos displayName nss_map_attribute loginShell msSFU30LoginShell pam_login_attribute msSFU30Name pam_filter objectclass=User You need to configure your files in /etc/pam.d properly You need to add ldap to /etc/nsswitch.conf Of course you have to setup krb5.conf kdc.conf -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mi...

RE: encryption algorithm used by kerberos #2
Sam Hartman wrote: > * Cibersafe supports a 3DES incompatible with the rest of the world This is not strictly true, especially considering the many PacketCable and CableHome implementations on the market and their use of the same 3DES cipher suite as the CyberSafe products. To clarify this I have provided a more complete list of 'modern' Kerberos implementations to avoid any miss-interpretation of Sam's reference to this : MIT - 3DES with HMAC/SHA1 digest - AES - RC4 with HMAC Heimdal - 3DES with HMAC/SHA1 digest - AES - RC4 with HMAC Microsoft - RC4 with HMAC CyberSafe (www.cybersafe.ltd.uk) - 3DES with MD5 digest - RC4 with HMAC (available very soon ...) - AES (available very soon ...) IPFonix (www.ipfonix.com) - 3DES with MD5 digest (The requirement for 3DES with MD5 digest is documented on page 62 of PacketCable security specification) Jungo (http://www.jungo.com/openrg/rgcablehome.html) - 3DES with MD5 digest (Uses similar security standards as PacketCable) Summary: With the large number of vendors involved in PacketCable/CableHome (there are too many to list here) it is clear that the 3DES cipher with MD5 digest (as supported by CyberSafe) is here to stay for a very long time. Today, with RC4 support many of the above Kerberos implementations can work well with with Microsoft AD, however the long term desire is for all implementations to use AES as a default/preference instead of RC4. Currently there is no standard for AES with GSS-API/SSPI -...

RE: MIT Kerberos and Solaris 10 Kerberos
> possibly 'su' with pam_krb5 for the authentication. Its not quite > the same as 'ksu', though. Douglas says the same. The su man page indicates something about this, but not a lot of details there. I'll look into this further. As far as a co-worker is concerned (and in our environment, I can see his point), this would be a show stopper. We use ksu for all sorts of things, including giving DBA's access to Oracle ID's. Thanks again for all of the help. I'll go through the su and pam.conf man pages, and see if I can figure it out. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: >>possibly 'su' with pam_krb5 for the authentication. Its not quite >>the same as 'ksu', though. > > > Douglas says the same. The su man page indicates something about this, > but not a lot of details there. I'll look into this further. As far as a > co-worker is concerned (and in our environment, I can see his point), > this would be a show stopper. We use ksu for all sorts of things, > including giving DBA's access to Oracle ID's. > > Thanks again for all of the help. I'll go through the su and pam.conf > man pages, and see if I can figure it out. Make sure you have a root window open before testing PAM. I stumbled on this when I tried to su and my t...

RE: MIT Kerberos and Solaris 10 Kerberos
<laugh> Yup, I learned (the hard way!) to always stay logged in to a console session as root. R > Make sure you have a root window open before testing PAM. I > stumbled on > this when I tried to su and my test pam exit failed! ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: Server not found in Kerberos database error on ldapsearch
> You should not need these. Ok. > Some things to try: > > Wireshare or other trace program to see DNS and Kerberos requests. > This should show name of the "Server not found in Kerberos database" I captured the request dialog with wireshark and got this (the things I think are important): MSG Type: KRB-ERROR Error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: EXAMPLE.COM Server Name (Unknown): krbtgt/COM Name-type: Unknown (0) Name: krbtgt Name: COM I guess that indicates an error in my krbtgt setup. But where should I search for it and what does the right setup look like? > On the unix side, do you have a /etc/krb5.conf or /etc/krb5.conf? > Is the default realm (in uppercase) the same as the AD domain name? > if not, you may need a krb5.conf, or the -R option on ldapsearch. Yes, I do have a krb5.conf on the unix side. Here it is: [libdefaults] default_realm=EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false # default_tkt_enctypes = des-cbc-md5 des-cbc-crc # default_tgs_enctypes = des-cbc-md5 des-cbc-crc kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # v4_instance_resolve = false # v4_name_convert = { [realms] EXAMPLE.COM = { kdc = 192.168.10.4:88 admin_server = 192.168.10.4:749 } [domain_realm] .example.com = EXAMPLE.COM As you can see, it is a setup for some tests... ----------------- ...

Re: Problem using Kerberos for user authentication -- ChallengeResponseAuthentication
Hi all, We are running Kerberos/Ldap on RHEL 5.2, both server and clients. We have found that if we set ChallengeResponseAuthentication yes in sshd_conf the result is no TGT ticket is created when a user logs in by ssh. This problem is detailed in a Debian bug report here; we don't see it having ever been fixed in redhat http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=339734 Setting PasswordAuthentication yes does work, at least in our environment. If anyone has any further information on this we'd appreciate it. Cheers, Steve On Wed, Nov 11, 2009 at 11:2...

RE: Kerberos error
Problem solved! =20 The trouble was the 'realm' parameter should have been named "OLLUSA.EDU" and not "OLLUSA." I had seen the OLLUSA name mentioned in the Active Directory tools area, but I learned that the Kerberos domain name is always the domain name (ollusa.edu) in upper case. By viewing the event logs on the AD server, I found a successful login that had used the OLLUSA.EDU realm, so that provided the necessary clue. =20 Paul =20 From: Lamping, Paul A=20 Sent: Thursday, October 29, 2009 5:46 PM To: 'kerberos@mit.edu' Subject: Kerberos error - KDC reply did not match expectations =20 I'm new to Kerberos and I have an issue in setting my AIX 5.3 system to authenticate against a Windows 2003 Active Directory server via Kerberos. I followed the instructions from the IBM website on Kerberos integration (http://publib.boulder.ibm.com/infocenter/systems/index.jsp?topic=3D/com.= i bm.aix.security/doc/security/kerberos_auth_only_load_module.htm). =20 Whatever I do, I can't get my Kerberos user to authenticate when I login or su to that user. I get an "unable to authenticate" message and the "KDC reply did not match expectations" in the syslog file. =20 Oct 29 17:23:44 olladmin_1 auth|security:debug su: [krb_authenticate] Error in getting TGT ... Oct 29 17:23:44 olladmin_1 auth|security:debug su: KDC reply did not match expectations Oct 29 17:23:44 ollad...

Web resources about - RE: Kerberos error 52 (0x34) when using kinit - comp.protocols.kerberos

Kerberos (protocol) - Wikipedia, the free encyclopedia
MIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...

Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen instead
BAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.

Meet Pluto's smallest moons: Kerberos and Styx
Pluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.

Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...

Meet Styx and Kerberos, Pluto's newly named moons
... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...

Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...

Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space
... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...

The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...

Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - Geekosystem
First the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...

Kerberos unleashed at last: Pluto’s dog-bone moon poses another mystery
NASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...

Resources last updated: 3/10/2016 2:50:33 PM