RE: kinit request on keytab fails using 2K3sp1 KDC #3
>From the determined kvno information, I am worried that starting again >will not resolve my issue. Assuming that the kvno is reset to 1, using >kvno and klist to determine the version number should return similar >results to above, but showing the number to be 1. What would the >difference be and would it resolve the pre-authentication issue? We found that even if we start again, we could not get the pre-auth to work. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Tim...

RE: kinit request on keytab fails using 2K3sp1 KDC #4
David, I have seen this problem before. It does not occur with the pre-SP1 version of ktpass. Conclusion : If you want to create keytable files which have correct kvno's and which work correctly with des, then you must use the pre-SP1 version of ktpass. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 17:39 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Jeffrey Altman wrote: > Why do you need the kvno to be 1? It wasn't so much that they neede...

RE: kinit request on keytab fails using 2K3sp1 KDC #2
David, Like yourself we spent many days/weeks trying to get the sp1 version of ktpass to work, but we could not, so we have developed our own replacement product that uses computer accounts instead. Cheers, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 09:47 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Richard E. Silverman wrote: > > TA> It seems that the sp1 version of ktpass stores a key with a > TA> specific kvno in the keytab file, ...

kinit request on keytab fails using 2K3sp1 KDC
Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; ...

can keytab created on Linux KDC be used when using windows KDC ?
Hi all, I am trying interoperablity between linux machines using windows KDC. I have a question regarding the keytab file usage. Assuming that I create keytab file using Linux KDC for a client called "test.kerberos.com" in the realm "KERBEROS.COM" Can I use the same keytab for the linux machine when it uses windows as KDC ? Has anybody tried this ? Is it possible ? If not possible, can you please explain why it is not possible ? Does windows KDC and Linux use different methods to create keytab ? - Sandy. ...

Re: kinit(v5): Cannot contact any KDC for requested......
I'm also using Kerberos with RH... I don't see your hosts in your principal list... You should add the host, with a random key and store it in /etc/krb5.keytab for every host that's in the realm, including the KDC. That could be the cause of your problem... I'm not sure though I'm also not using DNS. - Jin On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com wrote: > Hi All, > > This is my first email to clug. I hope there's kerberos expert on this > list. > I've been battling with kerberos issues for couple of days. > > ...

Re: kinit(v5): Cannot contact any KDC for requested...... #2
Thanks Jin for the tip. I tried that as well and it did not work. I've stopped using DNS to troubleshoot the problem. Here's principals list: [root@kerberos sample]# /usr/local/sbin/kadmin.local Authenticating as principal muzaffar/admin@RTDLINUX.COM with password. kadmin.local: listprincs K/M@RTDLINUX.COM host/kerberos.rtdlinux.com@RTDLINUX.COM kadmin/admin@RTDLINUX.COM kadmin/changepw@RTDLINUX.COM kadmin/history@RTDLINUX.COM krbtgt/RTDLINUX.COM@RTDLINUX.COM muzaffar/admin@RTDLINUX.COM root@RTDLINUX.COM sample/kerberos.rtdlinux.com@RTDLINUX.COM Here's output from keytab file:...

RE: Kerberos error 52 (0x34) when using kinit
Hello Douglas, Thanx for the response. I'll get the latest version from MIT and try again. Regards, Bruce. -----Original Message----- From: Douglas E. Engert [mailto:deengert@anl.gov] Sent: Friday, December 10, 2004 8:57 AM To: Wells, Bruce Cc: kerberos@mit.edu Subject: Re: Kerberos error 52 (0x34) when using kinit Wells, Bruce wrote: > Hello All, > I'm getting the above error when I try to get the initial ticket using > kinit. The KDC is Windows 2003 and the client is running on linux. My > understanding of kerberos and the KDC in particular is that if the KDC &...

Re: validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
Adding "dns_lookup_kdc = true" to the [libdefaults] section of krb5.conf seems to fix the problem. Frank "Frank Balluffi" <frank.balluffi+exter To: kerberos@mit.edu nal@db.com> ...

[ace-bugs] Re: [tao-users] Failure using DIOP Protocol ... / CORBA client fails if diop:// is configured as an endpoint
Hi Michael, > Yes, for UDP I could not find out how to let the OS select a free > port - by default it uses always the same - which in the case of two > servers leads to a problem. Did you try to use ACE_Sock_Connect::bind_port()? This is supposed to let the OS select a free port on a particular handle! UV, if you're feeling adventureous you might seeing if you can make this work. > I had long discussions about this with network experts. The smallest > common demoninator we found to be working in our networks was 4k, > but we had also suggessful tests w...

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf;...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_op...

AD KDC - msktutil
Hi, I have this error (see subject) when using msktutil. Any idea what's wrong with my setup? (I've replaced hostnames and OU structure) /etc/krb5.conf (part) ========== [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.ORG = { default_domain = msnet.railb.be kdc = ictdc01.example.org admin_server = ictdc01.example.org admin_keytab = FILE:/etc/krb5.keytab } [domain_realm] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG msktutil --create -h ts...

RE: Re: Re: wxMac: loading a dynamic library with wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails)
Hi Bernhard thanks for testing, I'll look at it, perhaps using CFBundle would give a more versatile implementation at least for wxMac. Is there a reason why we must use=20 NSCreateObjectFileImageFromFile ? Best, Stefan=20 > -----Original Message----- > From: news [mailto:news@sea.gmane.org] On Behalf Of Bernard=20 > Krummenacher > Sent: Samstag, 1. April 2006 15:13 > To: wx-users@lists.wxwindows.org > Subject: Re: Re: wxMac: loading a dynamic library with=20 > wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails) >=20 > Stefan Csom...

Tabs/spaces for indentation (was Re: re.search when used within an if/else fails)
On Thu, Nov 29, 2012 at 8:39 AM, Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote: > Perhaps it would be nice if Python honoured a directive setting indent > style to spaces or indents, as it honours source code encoding lines: > > # -*- indent: <mode> -*- > > Where <mode> could be one of: > > space[s] Only accept spaces in indentation > tab[s] Only accept tabs in indentation > mixed Accept "mixed" tabs and spaces, but only if consistent > > with mixed the default for backward...

Re: Re: MIT Kerberos 5 v1.9.1 krb5_set_password_using_ccache() fails with Windows 2003 R2
On Mon 14/11/11 17:30 , Greg Hudson ghudson@MIT.EDU sent: > On 11/14/2011 11:49 AM, Greg Hudson wrote: > > I would expect 1.6.1 to send the TGS request with > the canonicalize bit> set. Can you look at the packet trace for 1.6.1 > (or post results if> you've already looked at it)? Perhaps there's a > difference there which> will explain the different outcome. > > Nevermind, I think I know why 1.6.1 succeeds and 1.9 fails. 1.6 > through1.8 have a workaround for this specific AD behavior (fall back to a > non-referral request if you get back a T...

Using re.VERBOSE, and re-using components of regex?
Hi, I'm trying to compile a regex Python with the re.VERBOSE flag (so that I can add some friendly comments). However, the issue is, I normally use constants to define re-usable bits of the regex - however, these doesn't get interpreted inside the triple quotes. For example: import re TIMESTAMP = r'(?P<timestamp>\d{2}:\d{2}:\d{2}.\d{9})' SPACE = r' ' FOO = r'some_regex' BAR = r'some_regex' regexes = { 'data_sent': re.compile(""" ...

Re: Bind 9.2.5 and IPv6 fails with client.c:1325: unexpected error: failed to get request's destination: failure
> Hi, > > I have a very strange problem with a Bind server version 9.2.5 on Fedora > Core 3. > > Named listen to one IPv4 address and any IPv6 address. The configuration > has been running for many months. No changes where made recently to the > configuration except for adding or removing slave zones. > > The symptom is that the server does not answer request to the IPv6 > address + port UDP 53. It still answers requests to the UDP and TCP port > 53 using IPv4 and to the TCP port 53 using IPv6. Using dig on the > server, or on any ...

Re: Bind 9.2.5 and IPv6 fails with client.c:1325: unexpected error: failed to get request's destination: failure #2
> > > Hi, > > > > I have a very strange problem with a Bind server version 9.2.5 on Fedora > > Core 3. > > > > Named listen to one IPv4 address and any IPv6 address. The configuration > > has been running for many months. No changes where made recently to the > > configuration except for adding or removing slave zones. > > > > The symptom is that the server does not answer request to the IPv6 > > address + port UDP 53. It still answers requests to the UDP and TCP port > > 53 using IPv4 and to the ...

Re: Bind 9.2.5 and IPv6 fails with client.c:1325: unexpected error: failed to get request's destination: failure #3
> Hello, > > Roland Dirlewanger a �crit : > > > > I have a very strange problem with a Bind server version 9.2.5 on Fedora > > Core 3. > > > > Named listen to one IPv4 address and any IPv6 address. The configuration > > has been running for many months. No changes where made recently to the > > configuration except for adding or removing slave zones. > > > > The symptom is that the server does not answer request to the IPv6 > > address + port UDP 53. It still answers requests to the UDP and TCP port &g...

RE: kinit fail on AIX
We saw this problem in our AIX environment also when we moved up from 1.3.6 to 1.4.3 and we had to apply a patch to fix this. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Hong Ye Sent: Friday, April 21, 2006 1:08 PM To: kerberos@mit.edu Subject: kinit fail on AIX Hi, I compiled and installed kerberos 1.4.3, 1.4.1, 1.3.6 on AIX (5.2). Kinit works fine for version 1.3.6. But when I run kinit under v1.4.3 or 1.4.1, it gave me error: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credenti...

Re: using MAILTO protocol
> The big problem isn't that *browsers* don't understand it (the majority of them do), but <snip> I'm sorry, but this reasoning reminds me the immortal "I smoked, but I did not inhale" :-) If a browser cannot handle an HTML tag/link, it means that IT DOES NOT SUPPORT IT. Why it doesn't support it - this is the secondary question (programming mistake, missing interface, etc.) If this tag/link is a part of HTML standard which the browser is claiming to be in full compliance with, this is a serious problem addressed to the browser's authors. Good news is ...

RE: kinit fail on AIX #2
This is the same patch that worked for us also. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Christian Weiss Sent: Saturday, April 22, 2006 5:55 AM To: kerberos@mit.edu Subject: Re: kinit fail on AIX I ran into the same problem some month ago. The following patch works for me. Donn Cave, donn@u.washington.edu ----------------------------------- *** include/fake-addrinfo.h.dist Wed Jun 1 12:24:32 2005 --- include/fake-addrinfo.h Fri Aug 12 09:10:48 2005 *************** *** 1193,1199 **** a known service n...

RE: Re: wxMac: loading a dynamic library with wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails)
Hi if you'd use CFBundle calls do they give better error codes ? Best, Stefan=20 > -----Original Message----- > From: news [mailto:news@sea.gmane.org] On Behalf Of Bernard=20 > Krummenacher > Sent: Freitag, 31. M=E4rz 2006 22:35 > To: wx-users@lists.wxwindows.org > Subject: Re: wxMac: loading a dynamic library with=20 > wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails) >=20 > Starman <starmannj <at> hotmail.com> writes: >=20 > >=20 > >=20 > > Hi all, > > I'm working on porting an a...