f



RE: kinit request on keytab fails using 2K3sp1 KDC #4

David,

I have seen this problem before. It does not occur with the pre-SP1
version of ktpass. Conclusion : If you want to create keytable files
which have correct kvno's and which work correctly with des, then you
must use the pre-SP1 version of ktpass. 

Thanks, Tim

-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of David Telfer
Sent: 23 March 2006 17:39
To: kerberos@mit.edu
Subject: Re: kinit request on keytab fails using 2K3sp1 KDC

Jeffrey Altman wrote:
> Why do you need the kvno to be 1?  
It wasn't so much that they needed to match, more to tidy up the
situation I had on the KDC.

> For example, what is the enctype of the service ticket issued by the
> KDC?  Does that match the enctype of the keytab entry you are using?
>
> What do the following commands output?
>
>   klist -e -k /etc/krb5.keytab
>
>   kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK
>   klist -e
>   
This appears to be the problem, the keytab is being generated with DES 
CBD MD5, the service principal is sending an ArcFour encrypted tgt.

The reason this never occured to me is that the user account has the 
'use DES encryption for this account' setting ticked.  I have tried the 
following process to force the service principal to be DES;

1 - create account
2 - run ktpass util with -mapop set +DesOnly  and -crypto DES-CBC-MD5 
options set.
3 - view account properites and ensure that 'use DES encryption for this

account' is checked
4 - change password of account (with the intention of forcing the DES 
change from the ktpass step above)
5 - re-run identical ktpass line and use this as the final keytab

Even with these steps, the encryption type of the ServicePrincipal tgt 
stays as ArcFour.

Unfortunately I am not the AD administrator, I have access to an admin 
member of staff who has been applying the changes for me.  Due to this I

cannot be sure of every setting their kdc controller has.  Specifically 
I would be keen to find out whether there is a global setting which 
forces all user and service principals to be created as ArcFour.  Has 
anyone experienced somehing like this, or do they know of a way to hard 
force the enc type of the service principal.
> If the enctypes and output of those commands match, then you must
> double check that the browser client is obtaining service tickets
> with the name HTTP/connect.smg.plc.uk@SMG.PLC.UK and that the
> enctype of that ticket matches the contents of the keytab entry.
>   
I haven't got to the stage of attempting to use mod_auth_kerb yet.  I am

still trying to get past the `#./kinit -k -t /etc/krb5.keytab 
HTTP/connect.smg.plc.uk@SMG.PLC.UK` stage.  I may look into the 
potential for using ArcFour for both the keytab and ServicePrincipal but

I'm sure this will open another can of worms as well.

Thanks,
David




________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
tim.alsop (50)
3/23/2006 5:44:40 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
491 Views

Similar Articles

[PageSpeed] 7

Tim Alsop wrote:
> David,
> 
> I have seen this problem before. It does not occur with the pre-SP1
> version of ktpass. Conclusion : If you want to create keytable files
> which have correct kvno's and which work correctly with des, then you
> must use the pre-SP1 version of ktpass. 
> 
> Thanks, Tim

To which I once again ask, why would you use DES when you can use
RC4?

RC4 is a strong enctype and is the enctype that Windows wants to
use.  I seem to remember that if you want to be able to "Use DES only"
then you must set the flag in AD and then change the password on
the account before it will take effect.

Jeffrey Altman

0
jaltman2 (417)
3/23/2006 6:15:47 PM
Reply:

Similar Artilces:

RE: kinit request on keytab fails using 2K3sp1 KDC
David, The easiest solution to this problem is to use the ktpass which was shipped with Windows 2003, and not the one with SP1. Alternatively, you can use one of the many tools available that replace the need for ktpass, and use computer accounts for key storage. These tools do not suffer from the same issues as ktpass. It seems that the sp1 version of ktpass stores a key with a specific kvno in the keytab file, and the kvno in the domain controller for the same principal is different. This is why you cannot use the keytab file to authenticate. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 22 March 2006 17:09 To: kerberos@mit.edu Subject: kinit request on keytab fails using 2K3sp1 KDC Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; kinit(v5): Preauthentication failed while getting initial credentials I am able to obtain a ticket directly ...

RE: kinit request on keytab fails using 2K3sp1 KDC #2
David, Like yourself we spent many days/weeks trying to get the sp1 version of ktpass to work, but we could not, so we have developed our own replacement product that uses computer accounts instead. Cheers, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 09:47 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Richard E. Silverman wrote: > > TA> It seems that the sp1 version of ktpass stores a key with a > TA> specific kvno in the keytab file, and the kvno in the domain > TA> controller for the same principal is different. This is why you > TA> cannot use the keytab file to authenticate. > > Yes; it always sets the kvno in the keytab it writes to 1, regardless of > the value in the KDB (which of course changes each time the key is > extracted). So, you can only use the keytab the first time you extract > it. If you have to do it again, just delete the principal and re-create > it. I am not sure whether this is the issue or not, I may be doing something wrong but I have used the following procedure to determine the kvno of both the keytab and the service principal. To determine the KDC principal kvno; #./kinit HTTP/connect.smg.plc.uk@SMG.PLC.UK --->prompted for system user password #./kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK HTTP/connect.smg.plc.uk@SMG.PLC.UK: kvno = 3 To determine...

RE: kinit request on keytab fails using 2K3sp1 KDC #3
>From the determined kvno information, I am worried that starting again >will not resolve my issue. Assuming that the kvno is reset to 1, using >kvno and klist to determine the version number should return similar >results to above, but showing the number to be 1. What would the >difference be and would it resolve the pre-authentication issue? We found that even if we start again, we could not get the pre-auth to work. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Tim Alsop wrote: >>From the determined kvno information, I am worried that starting again >> will not resolve my issue. Assuming that the kvno is reset to 1, using > >> kvno and klist to determine the version number should return similar >> results to above, but showing the number to be 1. What would the >> difference be and would it resolve the pre-authentication issue? > > We found that even if we start again, we could not get the pre-auth to > work. The most important new functionality in the W2K SP1 version of KTPASS is that it allows you to export RC4-based keys instead of DES. Did you try using RC4 keys or were you only interested in using single DES? Jeffrey Altman ...

kinit request on keytab fails using 2K3sp1 KDC
Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; kinit(v5): Preauthentication failed while getting initial credentials I am able to obtain a ticket directly from the kdc using #./kinit DavidTelfer@SMG.PLC.UK which would indicate that the problem wasn't a clock slew error (I haven't seen an error of this nature appear with this version of krb so I'm not sure whether it would explicitly state this). From reading a few mailing list posts I have discovered some people having issues with ktpass on service pack 1. One such post; http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/1c991fa1b6ea4ef8/3da9428688c66d72%233da9428688c66d72 details a similar problem I have followed the advice given, ensuring that the kvno's match and changing the system users password prior to generating the keytab but to no avail. My /etc/krb5.conf file is as follows (I've removed every non-essential entry to ...

can keytab created on Linux KDC be used when using windows KDC ?
Hi all, I am trying interoperablity between linux machines using windows KDC. I have a question regarding the keytab file usage. Assuming that I create keytab file using Linux KDC for a client called "test.kerberos.com" in the realm "KERBEROS.COM" Can I use the same keytab for the linux machine when it uses windows as KDC ? Has anybody tried this ? Is it possible ? If not possible, can you please explain why it is not possible ? Does windows KDC and Linux use different methods to create keytab ? - Sandy. ...

Re: kinit(v5): Cannot contact any KDC for requested......
I'm also using Kerberos with RH... I don't see your hosts in your principal list... You should add the host, with a random key and store it in /etc/krb5.keytab for every host that's in the realm, including the KDC. That could be the cause of your problem... I'm not sure though I'm also not using DNS. - Jin On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com wrote: > Hi All, > > This is my first email to clug. I hope there's kerberos expert on this > list. > I've been battling with kerberos issues for couple of days. > > I've installed latest kerberos on RH advance server according to > documentation. > Everything seems ok but kerberos client apps like kinit are not working. > > I could run kadmin.local. All important principals are created as well. > > I logged in as root on the same machine where master kdc is running. I've > setup DNS as well but no success. > > I noticed one thing: I did not create principal for root@RTDLINUX.COM. > When > I ran kinit, this is the message I got in krb4kdc.log file: > > Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23 > 1 > 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for > krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database > Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated > (retransmitted?) request from 128.1.1.70, resending pre...

Re: kinit(v5): Cannot contact any KDC for requested...... #2
Thanks Jin for the tip. I tried that as well and it did not work. I've stopped using DNS to troubleshoot the problem. Here's principals list: [root@kerberos sample]# /usr/local/sbin/kadmin.local Authenticating as principal muzaffar/admin@RTDLINUX.COM with password. kadmin.local: listprincs K/M@RTDLINUX.COM host/kerberos.rtdlinux.com@RTDLINUX.COM kadmin/admin@RTDLINUX.COM kadmin/changepw@RTDLINUX.COM kadmin/history@RTDLINUX.COM krbtgt/RTDLINUX.COM@RTDLINUX.COM muzaffar/admin@RTDLINUX.COM root@RTDLINUX.COM sample/kerberos.rtdlinux.com@RTDLINUX.COM Here's output from keytab file: [root@kerberos sample]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 kadmin/admin@RTDLINUX.COM 4 kadmin/admin@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 4 kadmin/changepw@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM 2 host/kerberos.rtdlinux.com@RTDLINUX.COM _________________________________________________________ Muzaffar Sultan--Telvent muzaffar.sultan@telvent.abengoa.com Ph: (403)-301-5020 |---------+------------------------------> | |xiongj@rpi.edu | | | | |---------+------------------------------> >----------------------------------------------------------------------------------------------------------------------------| | ...

RE: Kerberos error 52 (0x34) when using kinit
Hello Douglas, Thanx for the response. I'll get the latest version from MIT and try again. Regards, Bruce. -----Original Message----- From: Douglas E. Engert [mailto:deengert@anl.gov] Sent: Friday, December 10, 2004 8:57 AM To: Wells, Bruce Cc: kerberos@mit.edu Subject: Re: Kerberos error 52 (0x34) when using kinit Wells, Bruce wrote: > Hello All, > I'm getting the above error when I try to get the initial ticket using > kinit. The KDC is Windows 2003 and the client is running on linux. My > understanding of kerberos and the KDC in particular is that if the KDC > can't send the response back via UDP it will switch over to TCP. My > question is this: Does the client need to programmactically take an > action if it recieves this error or will this be taken care of "under > the hood"? Also the client side (linux), is there a way to force the > communication to occur using TCP? Depends on the release of the Kerberos. MIT 1.2.x did not support TCP, 1.3.x does. Its a recent addition to Java as well. Theylibs wil switch as needed. The krb5.conf [libdefaults] udp_preference_limit = nnn can be used to tell the client to use TCP if the message is over nnn bytes. Setting to 1 in effect says try TCP first. The problem is the ticket is large due to the PAC being included from AD. (IIRC) W2003 servers have a lower cut over size then W2000 servers. > > TIA, > Bruce E. Wells > > -----------------------------...

Re: Denial of service when using Active Directory for KDC ? #4
To use a computer account in AD for a principal you have to create first a normal computer account (e.g. mmtest) and execute then: C:\program files\Support Tools>ktpass -out d:\Temp\test1.keytab -pass Test000$ -crypto rc4-hmac-nt /ptype KRB5_NT_SRV_HST -princ te stsvc/moelma.test.com@TEST.COM -mapuser mmtest$@TEST.COM Targeting domain controller: testkdc.test.com Using legacy password setting method Successfully mapped testsvc/moelma.wks.uk.deuba.com to MMTEST$. WARNING: Account MMTEST$ is not a user account (uacflags=0x1021). WARNING: Resetting MMTEST$'s password may cause authentication problems if MMTEST$ is being used as a server. Reset MMTEST$'s password [y/n]? y Key created. Output keytab to d:\Temp\test1.keytab: Keytab version: 0x502 keysize 81 testsvc/moelma.test.com@TEST.COM ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0x5443b0c1ad573155fa2d95eee1971574) This will create a keytab with a RC4 key which is mapped to a computer account. Any password expiry set for user accounts (e.g. domain wide settings) won't affect the computer account. Regards Markus On Fri May 6 9:34 , jpbermejo <jpbermejo@prisacom.com> sent: >On Thu, 2005-05-05 at 21:52 +0100, Markus Moeller wrote: >> Tim, >> in our setup we use computer accounts instead of user accounts, and don't >> have experienced this issue. I think the latest ktpass can do this with >> mapuser having a $ at the end. > >I d...

RE: Bad code (was: Thoughts on Logical Log use requested) #4
Dirk This might not be that bad coding, if you where looking for speed. If you change this code to a IN ("Y",..) and NOT IN (51.....) you would find that this is the fastest way. Maybe someone can explain to me why, the IN and NOT IN is slower than this sort of coding. Regards David Reed -----Original Message----- From: informix-list-bounces@iiug.org [mailto:informix-list-bounces@iiug.org] On Behalf Of Dirk Moolman Sent: Thursday, March 23, 2006 15:18 PM To: informix-list@iiug.org Subject: RE: Bad code (was: Thoughts on Logical Log use requested) I was looking for info on my system today, and found some very scary code. A lot of things on our system is hardcoded, and not normalised. Here is an example: if var1 =3D "Y" or g_var2 =3D "Y" or var3 =3D "Y" then if (code !=3D 51 and code !=3D 275 and code !=3D 10 and code !=3D 213 and code !=3D 3 and code !=3D 201 and code !=3D 5 and code !=3D 207 and code !=3D 228) then let l_status =3D "A" let p_amount =3D l_amount let code =3D l_code end if end if Just one of many examples ....... :-/ I am sure there are many other bad stories out there too, though I sometimes wonder if it could be worse -----Original Message----- From: informix-list-bounces@iiug.org [mailto:informix-list-bounces@...

Re: validating keytab files: Cannot find KDC for requested realm whilegetting initial credentials
Adding "dns_lookup_kdc = true" to the [libdefaults] section of krb5.conf seems to fix the problem. Frank "Frank Balluffi" <frank.balluffi+exter To: kerberos@mit.edu nal@db.com> cc: Sent by: Subject: validating keytab files: Cannot find KDC for requested realm kerberos-bounces@mit. whilegetting initial credentials edu 10/26/2004 04:39 PM ...

Re: [tao-users] ACE5.4.1+TAO1.4.1 compile fail under gcc3.4
Hi > ACE5.4.1+TAO1.4.1 compile fail under gcc3.4 Yes, a known issue. Ossama Othman hs been adding support in ACE+TAO for gcc-3.4 with help from users like Oliver Kellog. Please try to pull out the latest sources from http://cvs.doc.wustl.edu/anoncvs.html and give it a shot. If you can help with any of the remaining issues it would be great. Thanks bala > > g++ -W -Wall -Wpointer-arith -O3 -pipe -D_REENTRANT -DACE_HAS_AIO_CALLS > -D_GNU_SOURCE -I/usr/local/ACE_wrappers -I/usr/local/ACE_wrappers/TAO > -DACE_NDEBUG -DACE_USE_RCSID=0 -DACE_HAS_EXCEPTIONS -D__ACE_INLINE...

Re: [tao-users] ACE5.4.1+TAO1.4.1 compile fail under gcc3.4 #2
hello! i can not visit the cvs server for some limitation of here. does any web site provide cvs tar ball or just patch to 5.4.1? Or any one could send to me? Thanks very much! >From: Balachandran Natarajan <bala@cs.wustl.edu> >Reply-To: >To: yanyaqin97@mails.tsinghua.edu.cn >Subject: Re: [tao-users] ACE5.4.1+TAO1.4.1 compile fail under gcc3.4 > >Hi > > > ACE5.4.1+TAO1.4.1 compile fail under gcc3.4 > > Yes, a known issue. Ossama Othman hs been adding support in ACE+TAO > for gcc-3.4 with help from users like Oliver Kellog. Please try to > pull...

[ace-bugs] Re: [tao-users] Failure using DIOP Protocol ... / CORBA client fails if diop:// is configured as an endpoint
Hi Michael, > Yes, for UDP I could not find out how to let the OS select a free > port - by default it uses always the same - which in the case of two > servers leads to a problem. Did you try to use ACE_Sock_Connect::bind_port()? This is supposed to let the OS select a free port on a particular handle! UV, if you're feeling adventureous you might seeing if you can make this work. > I had long discussions about this with network experts. The smallest > common demoninator we found to be working in our networks was 4k, > but we had also suggessful tests with larger sizes. Best is to > change the protocol plugin and test it in your environment - just > change the constant. Agreed! Thanks, Doug This is a multi-part message in MIME format. --------------090209010404050109030606 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii; format=flowed All right then, thanks a lot for the advice. I will use port numbers hashed from LAN IP numbers first and then try to sort out the ACE_Sock_Connect::bind_port() as the proper solution. I'll try my luck and report the results. Cheers, UV Douglas C. Schmidt wrote: >Hi Michael, > > > >>Yes, for UDP I could not find out how to let the OS select a free >>port - by default it uses always the same - which in the case of two >>servers leads to a problem. >> >> > >Did you...

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf; + #else /* _AIX */ + struct { struct __res_state s; char pad[1024]; } statbuf; + #endif /* AIX */ + #endif /* LANL */ #endif struct krb5int_dns_state *ds; int len, ret; LOCATE_KDC.C Patch: >*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May 5 08:06:45 2005 >--- ./src/lib/krb5/os/locate_kdc.c Thu May 5 11:34:27 2005 >*************** >*** 267,275 **** >--- 267,283 ---- > memset(&hint, 0, sizeof(hint)); > hint.ai_family = family; > hint.ai_socktype = socktype; >+ #ifndef LANL > #ifdef AI_NUMERICSERV > hint.ai_flags = AI_NUMERICSERV; > #endif >+ #else /* LANL */ >+ #ifndef _AIX >+ #ifdef AI_NUMERICSERV >+ hint.ai_flags = AI_NUMERICSERV; >+ #endif >+ #endif /* _AIX */ >+ #endif /* LANL */ > sprintf(portbuf, "%d", ntohs(port)); > sprintf(s...

RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4. Rainer > -----Original Message----- > From: Tom Yu [mailto:tlyu@mit.edu] > Sent: Tuesday, January 11, 2005 11:12 AM > To: Wyllys Ingersoll > Cc: Heilke, Rainer; kerberos@mit.edu > Subject: Re: MIT Kerberos and Solaris 10 Kerberos > > > >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes: > > Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > Wyllys> MIT uses a slightly different RPC protocol. > > [...] > > Wyllys> There have been patches submitted to the MIT codebase to make > Wyllys> it able to support RPCSEC_GSS (and thus interop with > Solaris kadmin), > Wyllys> but Im not sure if those are in the latest release or not. > > RPCSEC_GSS support will be present in krb5-1.4 (currently in beta). I > have done a brief successful interop test against SEAM's kadmin > protocol. Independent confirmation would be useful. > > ---Tom > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Re: Save and Re-Use a File Equation #4
Problem is, the same filename is used for all print files. We have no = control of the filename - it came with the package. =20 !job... .. !file APPRINT=3DreportA;dev=3D<entered parameters> !run program A !file APPRINT=3Dchecks;dev=3Dlp;forms=3Dmount checks !run program B !file APPRINT=3DreportC;dev=3D<entered parameters> !run program C .. !eoj ________________________________ From: HP-3000 Systems Discussion on behalf of Reid Baxter Sent: Mon 4/4/2005 9:46 AM To: HP3000-L@RAVEN.UTC.EDU Subject: Re: [HP3000-L] Save and Re-Use a File Equation Jay, If i...

Re: Using/Not using Mirroring to manage diferent accounts #4
We have several customers doing this. We use a Model 20 disk array; production volumes get RAID 0 + 1, and their test or archive volumes get RAID 5. Performance does suffer a little bit in RAID 5, but it usually doesn't matter and saves money. Works like a champ!! John Lee Vaske Computer Solutions At 08:37 AM 10/7/03 -0400, Andrew Cartledge wrote: >Can anyone see any flaws in my cunning plan. > >I have system that is mirrored. > >This holds both a production (live) account and a test account. > >The drawback, as I see it, is that for every n gi...

RE: Re: how do you convert from hex to integer using SQL ? #4
Try '0x0' instead of '0xa'. That should do the trick. :) Cheers, Martin -- Martin Fuerderer IBM Informix Development Munich, Germany Data Management Solutions owner-informix-list@iiug.org wrote on 06.01.2005 14:52:46: > > Sebastian, Norma J. said: > > > > Rajib, > > > > I played with your sql: "select '0xa' + 0 from systables where tabid = > > 1;" ... "It'll print the integer value of the hex" > > > > I ran this: > > select tabname, partnum, > > hex(partnum), ('0xa' + hex(partnum)) > > from systables > > 0xa != 0 :o) > > > I get results like: > > > > tabname ebkpf (SAP table names...) > > partnum 62914738 > > (expression) 0x03C000B2 > > (expression) 62914748.0000000 > > > > tabname syschecks > > partnum 1048716 > > (expression) 0x0010008C > > (expression) 1048726.00000000 > > > > tabname syscoldepend > > partnum 1048718 > > (expression) 0x0010008E > > (expression) 1048728.00000000 > > > > > > Shouldn't the partnum and the second expression be equal based on your > > suggestion, or am I doing something wrong? > > Thanks, > > Norma Jean > > > > > > > > -----Original Messa...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

Re: (Ab)use of Javascript; was Re: Web Services Increasingly Under #4
This is true, but it's no different than the cookies that are currently stored/tracked on these computers. To stretch my idea even further, if there is a will there is a way. All they have to do is create a simple little program that will change the system's IP address every time a new user logs on. Say a window will prompt for the login/password, and the login will be the IP. This will of course wreak havoc on the network structure, but with the advance of wireless networks and entire cities getting ready to go wifi, this is looking more and more like when cell phones first appeared on the market. I'm sure they can come up with routers that will send traffic from each IP to its appropriate router over wifi. Again, not saying that it's going to happen. Just letting my imagination work here. Julian Thomas wrote: >> If the government really wants to track people's online usage >> they'll have to give everyone the option to keep the same IP >> throughout their lifetime, much like they allow people to keep their >> phone numbers now. That way each IP address will have a name >> attached to it. > Hardly. Consider local network environments and shared usage computers, > where many users share the same IP. > Julian Thomas: http://jt-mj.net > In the beautiful Finger Lakes Wine Country of New York State! > Warpstock X - October 12-15 2006; Windsor, Ont. I'll be there - w...

AD KDC - msktutil
Hi, I have this error (see subject) when using msktutil. Any idea what's wrong with my setup? (I've replaced hostnames and OU structure) /etc/krb5.conf (part) ========== [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.ORG = { default_domain = msnet.railb.be kdc = ictdc01.example.org admin_server = ictdc01.example.org admin_keytab = FILE:/etc/krb5.keytab } [domain_realm] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 -- verbose -- init_password: Wiping the computer password structure -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/ krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: / tmp/.msktkrb5.conf-fbUui1 -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: tstweb01 -- finalize_exec: SAM Account Name is: tstweb01$ -- try_machine_keytab_princ: Trying to authenticate for tstweb01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/ tstweb01.example.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos ...

RE: Re: Re: wxMac: loading a dynamic library with wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails)
Hi Bernhard thanks for testing, I'll look at it, perhaps using CFBundle would give a more versatile implementation at least for wxMac. Is there a reason why we must use=20 NSCreateObjectFileImageFromFile ? Best, Stefan=20 > -----Original Message----- > From: news [mailto:news@sea.gmane.org] On Behalf Of Bernard=20 > Krummenacher > Sent: Samstag, 1. April 2006 15:13 > To: wx-users@lists.wxwindows.org > Subject: Re: Re: wxMac: loading a dynamic library with=20 > wxDynamicLibrary fails (NSCreateObjectFileImageFromFile fails) >=20 > Stefan Csomor <csomor <at> advancedconcepts.ch> writes: >=20 > >=20 > > Hi > >=20 > > if you'd use CFBundle calls do they give better error codes ? > >=20 > > Best, > >=20 > > Stefan > >=20 >=20 > Hi Stefan, >=20 > Trying to load the bundle with CFBundle seems to work. I did=20 > this (borrowed from > Apple documentation): >=20 > CFURLRef bundleURL; > CFBundleRef myBundle; > =20 > // Make a CFURLRef from the CFString representation of the=20 > // bundle's path. > bundleURL =3D CFURLCreateWithFileSystemPath(kCFAllocatorDefault,=20 > CFSTR("<Some=20 > valid absolute > path>/DynLib.bundle"), > kCFURLPOSIXPathStyle, > ...

Tabs/spaces for indentation (was Re: re.search when used within an if/else fails)
On Thu, Nov 29, 2012 at 8:39 AM, Steven D'Aprano <steve+comp.lang.python@pearwood.info> wrote: > Perhaps it would be nice if Python honoured a directive setting indent > style to spaces or indents, as it honours source code encoding lines: > > # -*- indent: <mode> -*- > > Where <mode> could be one of: > > space[s] Only accept spaces in indentation > tab[s] Only accept tabs in indentation > mixed Accept "mixed" tabs and spaces, but only if consistent > > with mixed the default for backward compatibility. I don't know that it needs to be a declaration like that; character encodings are critical to parsing the file, but newline-followed-by-tab and newline-followed-by-space are unambiguous. But it would be of value to have something like that, as editors could then be configured to respect it - set the editor to turn tab-key into N spaces but only if "indent tab" is not set, for instance. The question is, is it worth it? The main value would be when you're editing someone else's code. ChrisA ...

Web resources about - RE: kinit request on keytab fails using 2K3sp1 KDC #4 - comp.protocols.kerberos

Wikipedia:Admin coaching/Requests for Coaching - Wikipedia, the free encyclopedia
Are added to the current request list in date order, newest at the end . Coaches will contact people at or near the top of the list, with preference ...

Pope Francis never received request to meet Ballarat sex abuse victims, says Vatican
Child sex abuse survivors who flew to Rome to hear Cardinal George Pell give evidence to a royal commission say their request to meet the Pope ...

Pope Francis never received request to meet Ballarat sex abuse victims, says Vatican
Child sex abuse survivors who flew to Rome to hear Cardinal George Pell give evidence to a royal commission say their request to meet the Pope ...

Energy East Hearings To Go On After Quebec Court Smacks Down Suspension Request 23
But another court challenge is on its way. MONTREAL — A Quebec court has rejected a request by an environmental coalition to have hearings into ...

In new filing, DOJ says its request ‘invades no one’s privacy,’ Apple’s response is ‘corrosive’
The Department of Justice has today filed its latest response to Apple in their fight over unlocking the iPhone 5c used by one of the San Bernardino ...

Balloon Juice Bunker Standoff: The US Government Responds to Peter Santilli’s Request for Bail
Yesterday the US Attorneys in Oregon and Nevada responded to Peter Santilli’s request to get bail . Santilli’s argument is that he’s not a party ...

WFMU Fundraiser Marathon underway; Yo La Tengo playing requests in exchange for pledges this weekend
Hear Yo La Tengo play your favorite song or try to stump the band as part of the NJ independent radio station's annual pledge drive.

Google is seeing a huge surge in copyright takedown requests
Google is seeing a huge surge in companies asking it to remove copyrighted material from its search results. In the last week, copyright holders ...

Judge grants request to unseal Bobbi Kristina autopsy
WXIA-TV reports the judge will likely sign an unsealing order in the coming days

Google copyright takedown requests jump to 76 million in past month
The number of requests from copyright holders to get rid of links to allegedly infringing content has more than doubled compared to last year. ...

Resources last updated: 3/10/2016 10:24:22 PM