f



RE: kinit request on keytab fails using 2K3sp1 KDC #2

David,

Like yourself we spent many days/weeks trying to get the sp1 version of
ktpass to work, but we could not, so we have developed our own
replacement product that uses computer accounts instead.

Cheers, Tim 

-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of David Telfer
Sent: 23 March 2006 09:47
To: kerberos@mit.edu
Subject: Re: kinit request on keytab fails using 2K3sp1 KDC

Richard E. Silverman wrote:
>
>     TA> It seems that the sp1 version of ktpass stores a key with a
>     TA> specific kvno in the keytab file, and the kvno in the domain
>     TA> controller for the same principal is different. This is why
you
>     TA> cannot use the keytab file to authenticate.
>
> Yes; it always sets the kvno in the keytab it writes to 1, regardless
of
> the value in the KDB (which of course changes each time the key is
> extracted).  So, you can only use the keytab the first time you
extract
> it.  If you have to do it again, just delete the principal and
re-create
> it.
I am not sure whether this is the issue or not, I may be doing something

wrong but I have used the following procedure to determine the kvno of 
both the keytab and the service principal.

To determine the KDC principal kvno;

#./kinit HTTP/connect.smg.plc.uk@SMG.PLC.UK
--->prompted for system user password
#./kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK
HTTP/connect.smg.plc.uk@SMG.PLC.UK: kvno = 3

To determine the keytab kvno;

# /usr/local/sbin/ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- 
---------------------------------------------------------------------
   1    3       HTTP/connect.smg.plc.uk@SMG.PLC.UK

This is the step I am unsure of, but I believe it indicates that the 
keytab also has a KVNO of 3.  Is this correct?

Also, for each creation of the keytab I am deleting the system user and 
service principal first before creation.  Should this not reset the kvno

back to the initial value?

Thanks,
David Telfer


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
tim.alsop (50)
3/23/2006 10:10:54 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
401 Views

Similar Articles

[PageSpeed] 11

Reply:

Similar Artilces:

RE: kinit request on keytab fails using 2K3sp1 KDC
David, The easiest solution to this problem is to use the ktpass which was shipped with Windows 2003, and not the one with SP1. Alternatively, you can use one of the many tools available that replace the need for ktpass, and use computer accounts for key storage. These tools do not suffer from the same issues as ktpass. It seems that the sp1 version of ktpass stores a key with a specific kvno in the keytab file, and the kvno in the domain controller for the same principal is different. This is why you cannot use the keytab file to authenticate. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 22 March 2006 17:09 To: kerberos@mit.edu Subject: kinit request on keytab fails using 2K3sp1 KDC Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; kinit(v5): Preauthentication failed while getting initial credentials I am able to obtain a ticket directly ...

RE: kinit request on keytab fails using 2K3sp1 KDC #3
>From the determined kvno information, I am worried that starting again >will not resolve my issue. Assuming that the kvno is reset to 1, using >kvno and klist to determine the version number should return similar >results to above, but showing the number to be 1. What would the >difference be and would it resolve the pre-authentication issue? We found that even if we start again, we could not get the pre-auth to work. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Tim Alsop wrote: >>From the determined kvno information, I am worried that starting again >> will not resolve my issue. Assuming that the kvno is reset to 1, using > >> kvno and klist to determine the version number should return similar >> results to above, but showing the number to be 1. What would the >> difference be and would it resolve the pre-authentication issue? > > We found that even if we start again, we could not get the pre-auth to > work. The most important new functionality in the W2K SP1 version of KTPASS is that it allows you to export RC4-based keys instead of DES. Did you try using RC4 keys or were you only interested in using single DES? Jeffrey Altman ...

RE: kinit request on keytab fails using 2K3sp1 KDC #4
David, I have seen this problem before. It does not occur with the pre-SP1 version of ktpass. Conclusion : If you want to create keytable files which have correct kvno's and which work correctly with des, then you must use the pre-SP1 version of ktpass. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 17:39 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Jeffrey Altman wrote: > Why do you need the kvno to be 1? It wasn't so much that they needed to match, more to tidy up the situation I had on the KDC. > For example, what is the enctype of the service ticket issued by the > KDC? Does that match the enctype of the keytab entry you are using? > > What do the following commands output? > > klist -e -k /etc/krb5.keytab > > kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK > klist -e > This appears to be the problem, the keytab is being generated with DES CBD MD5, the service principal is sending an ArcFour encrypted tgt. The reason this never occured to me is that the user account has the 'use DES encryption for this account' setting ticked. I have tried the following process to force the service principal to be DES; 1 - create account 2 - run ktpass util with -mapop set +DesOnly and -crypto DES-CBC-MD5 options set. 3 - view account properites and ensure that 'use DES encryption f...

kinit request on keytab fails using 2K3sp1 KDC
Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; kinit(v5): Preauthentication failed while getting initial credentials I am able to obtain a ticket directly from the kdc using #./kinit DavidTelfer@SMG.PLC.UK which would indicate that the problem wasn't a clock slew error (I haven't seen an error of this nature appear with this version of krb so I'm not sure whether it would explicitly state this). From reading a few mailing list posts I have discovered some people having issues with ktpass on service pack 1. One such post; http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/1c991fa1b6ea4ef8/3da9428688c66d72%233da9428688c66d72 details a similar problem I have followed the advice given, ensuring that the kvno's match and changing the system users password prior to generating the keytab but to no avail. My /etc/krb5.conf file is as follows (I've removed every non-essential entry to ...

Re: kinit(v5): Cannot contact any KDC for requested...... #2
Thanks Jin for the tip. I tried that as well and it did not work. I've stopped using DNS to troubleshoot the problem. Here's principals list: [root@kerberos sample]# /usr/local/sbin/kadmin.local Authenticating as principal muzaffar/admin@RTDLINUX.COM with password. kadmin.local: listprincs K/M@RTDLINUX.COM host/kerberos.rtdlinux.com@RTDLINUX.COM kadmin/admin@RTDLINUX.COM kadmin/changepw@RTDLINUX.COM kadmin/history@RTDLINUX.COM krbtgt/RTDLINUX.COM@RTDLINUX.COM muzaffar/admin@RTDLINUX.COM root@RTDLINUX.COM sample/kerberos.rtdlinux.com@RTDLINUX.COM Here's output from keytab file: [root@kerberos sample]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 kadmin/admin@RTDLINUX.COM 4 kadmin/admin@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM _________________________________________________________ Muzaffar Sultan--Telvent muzaffar.sultan@telvent.abengoa.com Ph: (403)-301-5020 |---------+------------------------------> | |xiongj@rpi.edu | | | | |---------+------------------------------> >----------------------------------------------------------------------------------------------------------------------------| | ...

Re: Bind 9.2.5 and IPv6 fails with client.c:1325: unexpected error: failed to get request's destination: failure #2
> > > Hi, > > > > I have a very strange problem with a Bind server version 9.2.5 on Fedora > > Core 3. > > > > Named listen to one IPv4 address and any IPv6 address. The configuration > > has been running for many months. No changes where made recently to the > > configuration except for adding or removing slave zones. > > > > The symptom is that the server does not answer request to the IPv6 > > address + port UDP 53. It still answers requests to the UDP and TCP port > > 53 using IPv4 and to the TCP port 53 using IPv6. Using dig on the > > server, or on any server on the same LAN, leads to the following behavior : > > - dig ns some.domain @IPv4-address : works fine > > - dig +vc ns some.domain @IPv4-address : works fine > > - dig +vc ns some.domain @IPv6-address: works fine > > - dig ns some.domain @IPv6-address: works once or twice immediately > > after restarting named, fails afterwards > > > > The logs show the following message : > > Jan 16 23:34:25 named[32125]: failed to get request's destination: failure > > Jan 16 23:34:27 named[32125]: client.c:1325: unexpected error: > > > > I had a look on client.c around line 1325 but it didn't help much. > > > > Does someone on the list have an idea on what's wrong ? > > > > Thanks very much in advance. ...

Re: Bind 9.2.5 and IPv6 fails with client.c:1325: unexpected error: failed to get request's destination: failure
> Hi, > > I have a very strange problem with a Bind server version 9.2.5 on Fedora > Core 3. > > Named listen to one IPv4 address and any IPv6 address. The configuration > has been running for many months. No changes where made recently to the > configuration except for adding or removing slave zones. > > The symptom is that the server does not answer request to the IPv6 > address + port UDP 53. It still answers requests to the UDP and TCP port > 53 using IPv4 and to the TCP port 53 using IPv6. Using dig on the > server, or on any server on the same LAN, leads to the following behavior : > - dig ns some.domain @IPv4-address : works fine > - dig +vc ns some.domain @IPv4-address : works fine > - dig +vc ns some.domain @IPv6-address: works fine > - dig ns some.domain @IPv6-address: works once or twice immediately > after restarting named, fails afterwards > > The logs show the following message : > Jan 16 23:34:25 named[32125]: failed to get request's destination: failure > Jan 16 23:34:27 named[32125]: client.c:1325: unexpected error: > > I had a look on client.c around line 1325 but it didn't help much. > > Does someone on the list have an idea on what's wrong ? > > Thanks very much in advance. > > Roland. > > -- > Roland Dirlewanger > CNRS - D�l�gation Aquitaine-Limousin > Esplanade des Arts et M�tiers - BP ...

Re: Bind 9.2.5 and IPv6 fails with client.c:1325: unexpected error: failed to get request's destination: failure #3
> Hello, > > Roland Dirlewanger a �crit : > > > > I have a very strange problem with a Bind server version 9.2.5 on Fedora > > Core 3. > > > > Named listen to one IPv4 address and any IPv6 address. The configuration > > has been running for many months. No changes where made recently to the > > configuration except for adding or removing slave zones. > > > > The symptom is that the server does not answer request to the IPv6 > > address + port UDP 53. It still answers requests to the UDP and TCP port > > 53 using IPv4 and to the TCP port 53 using IPv6. Using dig on the > > server, or on any server on the same LAN, leads to the following behavior : > > - dig ns some.domain @IPv4-address : works fine > > - dig +vc ns some.domain @IPv4-address : works fine > > - dig +vc ns some.domain @IPv6-address: works fine > > - dig ns some.domain @IPv6-address: works once or twice immediately > > after restarting named, fails afterwards > > > > The logs show the following message : > > Jan 16 23:34:25 named[32125]: failed to get request's destination: failure > > Jan 16 23:34:27 named[32125]: client.c:1325: unexpected error: > > I think I experienced a similar problem with BIND 9.2.4 on Debian Sarge. > It seems to be triggered when the IPv6 UDP socket receives an IPv4 > request, which can occur in t...

RE: kinit fail on AIX #2
This is the same patch that worked for us also. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Christian Weiss Sent: Saturday, April 22, 2006 5:55 AM To: kerberos@mit.edu Subject: Re: kinit fail on AIX I ran into the same problem some month ago. The following patch works for me. Donn Cave, donn@u.washington.edu ----------------------------------- *** include/fake-addrinfo.h.dist Wed Jun 1 12:24:32 2005 --- include/fake-addrinfo.h Fri Aug 12 09:10:48 2005 *************** *** 1193,1199 **** a known service name for tcp or udp (as appropriate), an error code (for "host not found") is returned. If the port maps to a known service for both udp and tcp, all is well. */ ! if (serv && serv[0] && isdigit(serv[0])) { unsigned long lport; char *end; lport = strtoul(serv, &end, 10); --- 1193,1208 ---- a known service name for tcp or udp (as appropriate), an error code (for "host not found") is returned. If the port maps to a known service for both udp and tcp, all is well. */ ! /* ! ** ! ** However, where AI_NUNERICSERV is defined (AIX 5) and was specified, ! ** this is unneeded and and broken - "discard" is not numeric. ! */ ! if (serv && serv[0] ! #ifdef AI_NUMERICSERV ! && !(hint->ai_flags & AI_NUMERICSE...

can keytab created on Linux KDC be used when using windows KDC ?
Hi all, I am trying interoperablity between linux machines using windows KDC. I have a question regarding the keytab file usage. Assuming that I create keytab file using Linux KDC for a client called "test.kerberos.com" in the realm "KERBEROS.COM" Can I use the same keytab for the linux machine when it uses windows as KDC ? Has anybody tried this ? Is it possible ? If not possible, can you please explain why it is not possible ? Does windows KDC and Linux use different methods to create keytab ? - Sandy. ...

RE: encryption algorithm used by kerberos #2
Sam Hartman wrote: > * Cibersafe supports a 3DES incompatible with the rest of the world This is not strictly true, especially considering the many PacketCable and CableHome implementations on the market and their use of the same 3DES cipher suite as the CyberSafe products. To clarify this I have provided a more complete list of 'modern' Kerberos implementations to avoid any miss-interpretation of Sam's reference to this : MIT - 3DES with HMAC/SHA1 digest - AES - RC4 with HMAC Heimdal - 3DES with HMAC/SHA1 digest - AES - RC4 with HMAC Microsoft - RC4 with HMAC CyberSafe (www.cybersafe.ltd.uk) - 3DES with MD5 digest - RC4 with HMAC (available very soon ...) - AES (available very soon ...) IPFonix (www.ipfonix.com) - 3DES with MD5 digest (The requirement for 3DES with MD5 digest is documented on page 62 of PacketCable security specification) Jungo (http://www.jungo.com/openrg/rgcablehome.html) - 3DES with MD5 digest (Uses similar security standards as PacketCable) Summary: With the large number of vendors involved in PacketCable/CableHome (there are too many to list here) it is clear that the 3DES cipher with MD5 digest (as supported by CyberSafe) is here to stay for a very long time. Today, with RC4 support many of the above Kerberos implementations can work well with with Microsoft AD, however the long term desire is for all implementations to use AES as a default/preference instead of RC4. Currently there is no standard for AES with GSS-API/SSPI -...

Re: kinit(v5): Cannot contact any KDC for requested......
I'm also using Kerberos with RH... I don't see your hosts in your principal list... You should add the host, with a random key and store it in /etc/krb5.keytab for every host that's in the realm, including the KDC. That could be the cause of your problem... I'm not sure though I'm also not using DNS. - Jin On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com wrote: > Hi All, > > This is my first email to clug. I hope there's kerberos expert on this > list. > I've been battling with kerberos issues for couple of days. > > I've installed latest kerberos on RH advance server according to > documentation. > Everything seems ok but kerberos client apps like kinit are not working. > > I could run kadmin.local. All important principals are created as well. > > I logged in as root on the same machine where master kdc is running. I've > setup DNS as well but no success. > > I noticed one thing: I did not create principal for root@RTDLINUX.COM. > When > I ran kinit, this is the message I got in krb4kdc.log file: > > Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23 > 1 > 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for > krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database > Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated > (retransmitted?) request from 128.1.1.70, resending pre...

RE: Smartcard logon using Unix KDC #2
Robert, As you have discovered, if you want to use the Windows GINA/WinLogon/SSP provided by Microsoft and logon via a UNIX KDC with a smart card you first need to make the workstation a member of a domain. The only solution I can think of is to develop a new gina which supports pkinit and bypasses the Microsoft code that does the same job - this will then work when workstation is not a member of a domain. We have done this on Windows NT, but our Win2k/XP product does not yet replace the gina. We are planning to address this requirement in the future, so I would be interested to find out how successful you are ? Thanks,Tim. -----Original Message----- From: Pr�gai R�bert [mailto:pragai@rubin.hu] Sent: 27 January 2004 08:03 To: Tim Alsop Cc: kerberos@MIT.EDU Subject: Re: Smartcard logon using Unix KDC Hi Tim, I use Heimdal KDC, which has a PKINIT extension. Although it works just in the Kerberos client - Windows KDC way with Windows, we plan (with Daniel Kouril) to extend its functionalities to work in the opposite direction, too. But the basic problem is that the Windows workstation assumes that if the logon is not a domain logon, then it cannot be a PKINIT logon as well. Maybe I should change the Kerberos SSP... (You probably have the right answer at Cybersafe :-) thanks, Robert > Robert, > > For this to work, the UNIX KDC needs to support the PKINIT standard at > the same draft level as Microsoft (I believe this is draft 9). Do you > know if ...

RE: Kerberos error 52 (0x34) when using kinit
Hello Douglas, Thanx for the response. I'll get the latest version from MIT and try again. Regards, Bruce. -----Original Message----- From: Douglas E. Engert [mailto:deengert@anl.gov] Sent: Friday, December 10, 2004 8:57 AM To: Wells, Bruce Cc: kerberos@mit.edu Subject: Re: Kerberos error 52 (0x34) when using kinit Wells, Bruce wrote: > Hello All, > I'm getting the above error when I try to get the initial ticket using > kinit. The KDC is Windows 2003 and the client is running on linux. My > understanding of kerberos and the KDC in particular is that if the KDC > can't send the response back via UDP it will switch over to TCP. My > question is this: Does the client need to programmactically take an > action if it recieves this error or will this be taken care of "under > the hood"? Also the client side (linux), is there a way to force the > communication to occur using TCP? Depends on the release of the Kerberos. MIT 1.2.x did not support TCP, 1.3.x does. Its a recent addition to Java as well. Theylibs wil switch as needed. The krb5.conf [libdefaults] udp_preference_limit = nnn can be used to tell the client to use TCP if the message is over nnn bytes. Setting to 1 in effect says try TCP first. The problem is the ticket is large due to the PAC being included from AD. (IIRC) W2003 servers have a lower cut over size then W2000 servers. > > TIA, > Bruce E. Wells > > -----------------------------...

RE: why does this fail on python 2.2?
John Hunter wrote: > class Results(object): > __slots__ =3D ( "__doinit" ) > def __new__(cls): > retobj =3D object.__new__(cls) > retobj.__doinit =3D True > return retobj Not sure why that fails, but I am wondering why you chose: retobj =3D object.__new__(cls) over: retobj =3D cls() Perhaps you're "digging too deep" on the supercall. Robert Brewer MIS Amor Ministries fumanchu@amor.org ...

RE: [Info-ingres] Re: Is it possible to use OpenIngres gateway to access Sybase without using cursors? #2
Roy writes: > Err, we do all know what READ UNCOMMITTED means, I hope? (There is a very > good reason why Ingres makes the transaction implicitly read-only when you > do that.) And also, it is not clear to me why changing the isolation level > of just the next transaction would solve anything much. Do you perhaps > intend that to be SET SESSION ISOLATION LEVEL? Well, err, I used to think so before we started using EA/MSSQL. Here is the MSSQL syntax. No session keyword. It affects all transactions for the session. SET TRANSACTION ISOLATION LEVEL { READ COMMITTED | READ UNCOMMITTED | REPEATABLE READ | SERIALIZABLE } When the code was converted to run over both ingres and EA/MSSQL, we discovered serious locking contention everywhere. The "SET lockmode session.." statement was apparently ignored by the gateway. After some research, the programmers decided to fix it by putting a commit after every select statement - even in the middle of important business transactions. The work around I discovered after rtfm about two years later. (I was too busy fixing rollbacks that didnt rollback what they were supposed to) It is not ideal but is ok for this app because there is a manual lock indicator to avoid two operators accessing the same account at the same time. Paul "Paul White" <pwhite@peerlessit.com.au> wrote in message news:mailman.1111732922.16542.info-ingres@cari...

RE: Denial of service when using Active Directory for KDC ? #2
Javier, Thank you again. I understand that the use of computer accounts either with ktpass or via another tool (our longer term goal) is the best approach. I am exchanging emails with Markus to find out how to use ktpass (short term solution) for computer account creation. I am yet to try his latest suggestion. We will eventually build a netjoin based utility, which will run on each system instead of on the domain controller. This will be similar to the code you refer to from CSS or provided with Samba, but will be supported by us for our customers to use with our products. Regards, Tim ________________________________ From: jpbermejo [mailto:jpbermejo@prisacom.com] Sent: Fri 06/05/2005 10:59 To: Tim Alsop Cc: Markus Moeller; kerberos@mit.edu Subject: RE: Denial of service when using Active Directory for KDC ? On Fri, 2005-05-06 at 11:28 +0200, Tim Alsop wrote: > Javier, > > Thankyou. I have a related question for your : > > In order to use a user account which is then used to run ktpass > against I need to first create the user account (e.g. I did use that method many months ago, with a 2000 domain. Now, with a 2003 domain I've actually never tried ktpass seriously, and I use either samba or css_adkadmin. The first one forces node.domain.com into node$ as principal name, where the second allows HOST/node.domain.com. Both are standar computer accounts as any other windows machine. You can get a TGT (or any other tickets) for these principals...

Re: Re: RE: Prob: failed to verify krb5 credentials: Server not #2
> So does that user have the correct spn. Adsiedit will tell you Okay, I tried it with adsiedit and I got the following for TWikiUser: http/wiki.test.lan Greets, -------- Kabel E-Mail Reply --------------- From: paul.moore@centrify.com To : slaindevil@kabelmail.de;deengert@anl.gov Date: 04.02.2009 01:35:12 <html> <text>So does that user have the correct spn. Adsiedit will tell you</text> <br /> <br /> <text>----- Original Message -----</text> <br /> <text>From:</text> <a href="/sites/mybox/forms/newmail.asp?sendto= slaindevil@kabelmail.de "> <text>slaindevil@kabelmail.de</text> </a> <slaindevil@kabelmail.de /> <br /> <text>To: Paul Moore;</text> <a href="/sites/mybox/forms/newmail.asp?sendto= deengert@anl.gov "> <text>deengert@anl.gov</text> </a> <deengert@anl.gov> <br /> <text>Cc:</text> <a href="/sites/mybox/forms/newmail.asp?sendto= kerberos@mit.edu "> <text>kerberos@mit.edu</text> </a> <kerberos@mit.edu /> <br /> <text>Sent: Tue Feb 03 16:57:02 2009</text> <br /> <text>Subject: Re: RE: Prob: failed to verify krb5 credentials: Server not</text> <br />...

RE: + i'm using wxMSW 2.4.2, g++, Eclipse 2.1.2+CDT
Michael, I don't know about the rest but use the parameter FINAL on the make command line You probably want this one make -f makefile.g95 FINAL=1 UNICODE=0 make -f makefile.g95 FINAL=1 UNICODE=1 // Debug make -f makefile.g95 FINAL=0 UNICODE=0 make -f makefile.g95 FINAL=0 UNICODE=1 -Paul -----Original Message----- From: Michael Peternell [mailto:Michael.Peternell@gmx.at] Sent: Tuesday, January 27, 2004 10:18 AM To: wx-users list Subject: + i'm using wxMSW 2.4.2, g++, Eclipse 2.1.2+CDT - help please previous message: wxWin compiler problem with Dev-C...

Re: How to make BACKUP fail instead of making OPCOM request? #2
Bob Kaplow was overheard to say: > > How? For me it displays OPCOM messages on the not-logged-in console and > waits for intervention. What do you do to get it to abort? > > Bob Kaplow NAR # 18L TRA # "Impeach the TRA BoD" If you are getting OPCOM messages then you have an operator defined. I explicitly disable this for the backups. An abridged version of some of the steps $ define/nolog sys$command opa0: $ reply/enable $ reply/disable $ deassign sys$command $ backup/image/assist/list='list_file' - 'fulldevnam'/ignore=(interlock,label) - ...

RE: Bad code (was: Thoughts on Logical Log use requested) #2
-----Original Message----- From: informix-list-bounces@iiug.org [mailto:informix-list-bounces@iiug.org] On Behalf Of Konikoff, Rob (Contractor) Sent: 23 March 2006 04:43 PM To: informix-list@iiug.org Subject: RE: Bad code (was: Thoughts on Logical Log use requested) >> A lot of things on our system is hardcoded, and not normalised. >You guys... listen... Bad code is a part of life. I have to write >REALLY bad, clunky code quite often to get around system requirements >produced by original programmers, or even to overcome limitations >established by management... That's the breaks of the game. I don't >complain... it keeps me employed. The down side is that the only ones >who suffer are the end customers that need the data! ..... and the DBA's who are trying to explain why the system is slow .... :-( > The information on this e-mail including any attachments relates to the off= icial business of DigiCare (Pty) Ltd. The information is confidential and l= egally privileged and is intended solely for the addressee. Access to this = e-mail by anyone else is unauthorised and as such any disclosure, copying, = distribution or any action taken or omitted in reliance on it is unlawful. = Please notify the sender immediately if it has inadvertently reached you an= d do not read, disclose or use the content in any way.=20 > No responsibility whatsoever is accepted by DigiCare (Pty) Ltd if the inf...

RE: wxMac
Hi=20 > Stefan: As of this direct comparsion, it should be fixed in=20 > wxRegion::Empty. Right ? yes, and it is already fixed both in WX_2_6_BRANCH and CVS HEAD as of 9th of Feb=20 Best, Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: wx-users-unsubscribe@lists.wxwidgets.org For additional commands, e-mail: wx-users-help@lists.wxwidgets.org Stefan, Stefan Csomor wrote: > Hi > >> Stefan: As of this direct comparsion, it should be fixed in >> wxRegion::Empty. Right ? > > yes, a...

RE: is that common to use kerberos authentication for SUN iplanet LDAP server? #2
Markus, I know SASL/GSSAPI can do encryption according to the document however I tried a while back to enable the encryption against AD while doing kerberos authentication in my C program but failed. Did you really enable the encryption successfully in the program? If so then I must have missing something then.... Thanks. -Kent -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Markus Moeller Sent: Thursday, September 01, 2005 12:24 PM To: kerberos@mit.edu Subject: Re: is that common to use kerberos authentication for SUN iplanet LDAP server? Craig, you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption too. What was the reason not to use SASL/GSSAPI with encryption. And example is AD, which can be accessed via SASL/GSSAPI with encryption. Thanks Markus "Craig Huckabee" <huck@spawar.navy.mil> wrote in message news:4316DEC8.5060809@spawar.navy.mil... > Kent Wu wrote: >> >> So my question is that is it pretty easy to enable Kerberos for SUN >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? > > We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy > against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary versions > they sold previously also use MIT Kerberos. > > We now have several processes that regularly use only GSSAPI/SASL over > SSL to authenticate and communicate wi...

RE: ld.so.1: kinit: fatal: libkrb4.so.2: open failed: No such file
Thanks, Fredrik! I set up the LD_LIBRARY_PATH and it works. But I am getting into another problem that the kinit couldn't reach the KDC I specified, errors are: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials However, I remember when I did this within windowsXP, leash was able to do the DNS look up once I turned on the flag in the krb5.ini. BTW, do you know where krb5.conf exists for krb5-1.3.5-sparc-solaris2.9 (MIT implementation) besides some directory such as: /etc/krb5 (default on Solaris). Thanks in advance, - Ying -----Original Message----- From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On Behalf Of Fredrik Tolf Sent: Tuesday, October 05, 2004 11:12 AM To: kerberos@MIT.EDU Subject: Re: ld.so.1: kinit: fatal: libkrb4.so.2: open failed: No such file On Tue, 2004-10-05 at 13:15 +0000, "Ying Zhao" wrote: > I downloaded krb5-1.3.5-sparc-sun-solaris2.9.tar and unpacked the tar to > get it installed on my UNIX box. Then I tried to run kinit (the one in > the unpacked directory), I got an error: > > ld.so.1: kinit: fatal: libkrb4.so.2: open failed: No such file or > directory > > Then I checked the directory structure and found the unpacked stuff is > under $MU_CURRENT_DIR/usr/local/lib. Should this be a problem if the all > the kinit etc. are supposed to directly run under /usr/local/bin, and > libraray be under /usr/local/lib rather than build anot...

Web resources about - RE: kinit request on keytab fails using 2K3sp1 KDC #2 - comp.protocols.kerberos

Wikipedia:Admin coaching/Requests for Coaching - Wikipedia, the free encyclopedia
Are added to the current request list in date order, newest at the end . Coaches will contact people at or near the top of the list, with preference ...

Pope Francis never received request to meet Ballarat sex abuse victims, says Vatican
Child sex abuse survivors who flew to Rome to hear Cardinal George Pell give evidence to a royal commission say their request to meet the Pope ...

Pope Francis never received request to meet Ballarat sex abuse victims, says Vatican
Child sex abuse survivors who flew to Rome to hear Cardinal George Pell give evidence to a royal commission say their request to meet the Pope ...

Energy East Hearings To Go On After Quebec Court Smacks Down Suspension Request 23
But another court challenge is on its way. MONTREAL — A Quebec court has rejected a request by an environmental coalition to have hearings into ...

In new filing, DOJ says its request ‘invades no one’s privacy,’ Apple’s response is ‘corrosive’
The Department of Justice has today filed its latest response to Apple in their fight over unlocking the iPhone 5c used by one of the San Bernardino ...

Balloon Juice Bunker Standoff: The US Government Responds to Peter Santilli’s Request for Bail
Yesterday the US Attorneys in Oregon and Nevada responded to Peter Santilli’s request to get bail . Santilli’s argument is that he’s not a party ...

WFMU Fundraiser Marathon underway; Yo La Tengo playing requests in exchange for pledges this weekend
Hear Yo La Tengo play your favorite song or try to stump the band as part of the NJ independent radio station's annual pledge drive.

Google is seeing a huge surge in copyright takedown requests
Google is seeing a huge surge in companies asking it to remove copyrighted material from its search results. In the last week, copyright holders ...

Judge grants request to unseal Bobbi Kristina autopsy
WXIA-TV reports the judge will likely sign an unsealing order in the coming days

Google copyright takedown requests jump to 76 million in past month
The number of requests from copyright holders to get rid of links to allegedly infringing content has more than doubled compared to last year. ...

Resources last updated: 3/10/2016 2:24:34 PM