f



Re: kinit(v5): Cannot contact any KDC for requested...... #2

Thanks Jin for the tip.
I tried that as well and it did not work.

I've stopped using DNS to troubleshoot the problem.
Here's principals list:

[root@kerberos sample]# /usr/local/sbin/kadmin.local
Authenticating as principal muzaffar/admin@RTDLINUX.COM with password.
kadmin.local:  listprincs
K/M@RTDLINUX.COM
host/kerberos.rtdlinux.com@RTDLINUX.COM
kadmin/admin@RTDLINUX.COM
kadmin/changepw@RTDLINUX.COM
kadmin/history@RTDLINUX.COM
krbtgt/RTDLINUX.COM@RTDLINUX.COM
muzaffar/admin@RTDLINUX.COM
root@RTDLINUX.COM
sample/kerberos.rtdlinux.com@RTDLINUX.COM

Here's output from keytab file:
[root@kerberos sample]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   4 kadmin/admin@RTDLINUX.COM
   4 kadmin/admin@RTDLINUX.COM
   4 kadmin/changepw@RTDLINUX.COM
   4 kadmin/changepw@RTDLINUX.COM
   2 host/kerberos.rtdlinux.com@RTDLINUX.COM
   2 host/kerberos.rtdlinux.com@RTDLINUX.COM
_________________________________________________________
Muzaffar Sultan--Telvent
muzaffar.sultan@telvent.abengoa.com
Ph: (403)-301-5020



|---------+------------------------------>
|         |xiongj@rpi.edu                |
|         |                              |
|---------+------------------------------>
  >----------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                            |
  >----------------------------------------------------------------------------------------------------------------------------|
|---------+------------------------------>
|         |xiongj@rpi.edu                |
|         |                              |
|         |11/13/2003 09:36 AM           |
|         |Por favor, responda a xiongj  |
|         |                              |
|---------+------------------------------>
  >----------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                            |
  |     to: muzaffar.sultan@telvent.abengoa.com                                                                                |
  |     cc: Kerberos@mit.edu                                                                                                   |
  |     Subject:  Re: kinit(v5): Cannot contact any KDC for requested......                                                    |
  >----------------------------------------------------------------------------------------------------------------------------|




I'm also using Kerberos with RH...
I don't see your hosts in your principal list...

You should add the host, with a random key and store it in /etc/krb5.keytab
for every host that's in the realm, including the KDC.

That could be the cause of your problem...

I'm not sure though I'm also not using DNS.



- Jin



On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com
wrote:



> Hi All,

>

> This is my first email to clug. I hope there's kerberos expert on this

> list.

> I've been battling with kerberos issues for couple of days.

>

> I've installed latest kerberos on RH advance server according to

> documentation.

> Everything seems ok but kerberos client apps like kinit are not working.

>

> I could run kadmin.local. All important principals are created as well.

>

> I logged in as root on the same machine where master kdc is running. I've

> setup DNS as well but no success.

>

> I noticed one thing: I did not create principal for root@RTDLINUX.COM.

> When

> I ran kinit, this is the message I got in krb4kdc.log file:

>

> Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23

> 1

> 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for

> krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database

> Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated

> (retransmitted?) request from 128.1.1.70, resending previous response

>

> When I created this principal, krb5kdc dies silently (no message in log).

> It seems like kinit is communicating with kdc but somehow krb5kdc process

> crashes.

>

> when I run kinit. kinit complains with this error:

> kinit(v5): Cannot contact any KDC for requested realm while getting

> initial

> credentials

>

> Here's my krb5.conf file:

> [root@kerberos krb5kdc]# more /etc/krb5.conf

> [logging]

>  default = FILE:/var/log/krb5libs.log

>  kdc = FILE:/var/log/krb5kdc.log

>  admin_server = FILE:/var/log/kadmind.log

>

> [libdefaults]

>  ticket_lifetime = 24000

>  default_realm = RTDLINUX.COM

>  dns_lookup_realm = false

>  dns_lookup_kdc = false

>

> [realms]

>  RTDLINUX.COM = {

>   kdc = kerberos.rtdlinux.com:88

>   admin_server = kerberos.rtdlinux.com:749

>   default_domain = rtdlinux.com

>  }

>

> [domain_realm]

>  .rtdlinux.com = RTDLINUX.COM

>  rtdlinux.com = RTDLINUX.COM

>

>

> [kdc]

>  profile = /usr/local/var/krb5kdc/kdc.conf

>

> [pam]

>  debug = false

>  ticket_lifetime = 36000

>  renew_lifetime = 36000

>  forwardable = true

>  krb4_convert = false

>

> Here's kdc.conf file contents:

> [root@kerberos krb5kdc]# more /usr/local/var/krb5kdc/kdc.conf

> [kdcdefaults]

>              kdc_ports = 88,750

>

> [realms]

>              RTDLINUX.COM = {

>                          database_name = /usr/local/var/krb5kdc/principal

>                          admin_keytab = /etc/krb5.keytab

>                          acl_file = /usr/local/var/krb5kdc/kadm5.acl

>                          key_stash_file =
/usr/local/var/krb5kdc/.k5.RTDLINUX.COM

>                          kadmin_port = 749

>                          kdc_ports = 88,750

>                          max_life = 10h 0m 0s

>                          max_renewable_life = 7d 0h 0m 0s

>                          master_key_type = des3-hmac-sha1

>                          supported_enctypes = des3-hmac-sha1:normal

> des-cbc-crc:normal

>              }

>

> These are the principals:

> K/M@RTDLINUX.COM

> kadmin/admin@RTDLINUX.COM

> kadmin/changepw@RTDLINUX.COM

> kadmin/history@RTDLINUX.COM

> krbtgt/RTDLINUX.COM@RTDLINUX.COM

> muzaffar/admin@RTDLINUX.COM

> root@RTDLINUX.COM

>

> Please help me if anybody has any clue.

>

> Thanks in advance.

> _________________________________________________________

> Muzaffar Sultan--Telvent

> muzaffar.sultan@telvent.abengoa.com

> Ph: (403)-301-5020

>

>

>

>

>

>

>

> ________________________________________________

> Kerberos mailing list                Kerberos@mit.edu

> https://mailman.mit.edu/mailman/listinfo/kerberos

>
















________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
11/13/2003 8:13:09 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
667 Views

Similar Articles

[PageSpeed] 59

Reply:

Similar Artilces:

Re: kinit(v5): Cannot contact any KDC for requested......
I'm also using Kerberos with RH... I don't see your hosts in your principal list... You should add the host, with a random key and store it in /etc/krb5.keytab for every host that's in the realm, including the KDC. That could be the cause of your problem... I'm not sure though I'm also not using DNS. - Jin On Wed, 12 Nov 2003 20:54:52 -0700 muzaffar.sultan@telvent.abengoa.com wrote: > Hi All, > > This is my first email to clug. I hope there's kerberos expert on this > list. > I've been battling with kerberos issues for couple of days. > > I've installed latest kerberos on RH advance server according to > documentation. > Everything seems ok but kerberos client apps like kinit are not working. > > I could run kadmin.local. All important principals are created as well. > > I logged in as root on the same machine where master kdc is running. I've > setup DNS as well but no success. > > I noticed one thing: I did not create principal for root@RTDLINUX.COM. > When > I ran kinit, this is the message I got in krb4kdc.log file: > > Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23 > 1 > 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for > krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database > Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated > (retransmitted?) request from 128.1.1.70, resending pre...

kinit(v5): Cannot contact any KDC for requested......
Hi All, This is my first email to clug. I hope there's kerberos expert on this list. I've been battling with kerberos issues for couple of days. I've installed latest kerberos on RH advance server according to documentation. Everything seems ok but kerberos client apps like kinit are not working. I could run kadmin.local. All important principals are created as well. I logged in as root on the same machine where master kdc is running. I've setup DNS as well but no success. I noticed one thing: I did not create principal for root@RTDLINUX.COM. When I ran kinit, this is the message I got in krb4kdc.log file: Nov 11 15:06:01 kerberos krb5kdc[26446](info): AS_REQ (6 etypes {18 16 23 1 3 2}) 128.1.1.70: CLIENT_NOT_FOUND: root@RTDLINUX.COM for krbtgt/RTDLINUX.COM@RTDLINUX.COM, Client not found in Kerberos database Nov 11 15:06:01 kerberos krb5kdc[26446](info): DISPATCH: repeated (retransmitted?) request from 128.1.1.70, resending previous response When I created this principal, krb5kdc dies silently (no message in log). It seems like kinit is communicating with kdc but somehow krb5kdc process crashes. when I run kinit. kinit complains with this error: kinit(v5): Cannot contact any KDC for requested realm while getting initial credentials Here's my krb5.conf file: [root@kerberos krb5kdc]# more /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_li...

kinit(v5): Cannot contact any KDC for requested ...
--=-k/lcpzymRBzmrMBCKbwB Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi, I am trying to setup kerberos, but I am getting the above problem. My krb5.conf file is attached. Could you please help. I had run the following commands. # kdb5_util create -r chitta.cse.krb -s # kadmin.local -q "addprinc admin/admin" # kadmin.local -q "addprinc kuser" # kadmin.local -q "getprincs" K/M@chitta.cse.krb admin/admin@chitta.cse.krb kadmin/admin@chitta.cse.krb kadmin/changepw@chitta.cse.krb kadmin/history@chitta.cse.krb kadmin/localhost@chitta.cse.krb krbtgt/chitta.cse.krb@chitta.cse.krb kuser@chitta.cse.krb -- Chitta Mandal <chitta@iitkgp.ac.in> IIT Kharagpur --=-k/lcpzymRBzmrMBCKbwB Content-Disposition: attachment; filename=krb5.conf Content-Type: text/plain; name=krb5.conf; charset=UTF-8 Content-Transfer-Encoding: 7bit [logging] default = FILE:/var/log/kerberos/krb5libs.log kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmind.log default = SYSLOG:INFO:USER [libdefaults] ticket_lifetime = 24000 default_realm = chitta.cse.krb default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc dns_lookup_realm = false dns_lookup_kdc = true kdc_req_checksum_type = 2 checksum_type = 2 ccache_type = 1 forwardable = true proxiable = true [realms] chitta.cse.krb = { kdc = chitta.cse.iitkgp.ernet.in:88 admi...

RE: kinit request on keytab fails using 2K3sp1 KDC #2
David, Like yourself we spent many days/weeks trying to get the sp1 version of ktpass to work, but we could not, so we have developed our own replacement product that uses computer accounts instead. Cheers, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 09:47 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Richard E. Silverman wrote: > > TA> It seems that the sp1 version of ktpass stores a key with a > TA> specific kvno in the keytab file, and the kvno in the domain > TA> controller for the same principal is different. This is why you > TA> cannot use the keytab file to authenticate. > > Yes; it always sets the kvno in the keytab it writes to 1, regardless of > the value in the KDB (which of course changes each time the key is > extracted). So, you can only use the keytab the first time you extract > it. If you have to do it again, just delete the principal and re-create > it. I am not sure whether this is the issue or not, I may be doing something wrong but I have used the following procedure to determine the kvno of both the keytab and the service principal. To determine the KDC principal kvno; #./kinit HTTP/connect.smg.plc.uk@SMG.PLC.UK --->prompted for system user password #./kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK HTTP/connect.smg.plc.uk@SMG.PLC.UK: kvno = 3 To determine...

Re: AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Christopher, I had the exact same problem. I was given 2 patches for KRB 1.4.1 and it fixed the problem. I applied the patches to my 1.4.2 source and the problem is resolved there too. Here are the patches: DNSGLUE.C Patch: *** ./src/lib/krb5/os/dnsglue.c.orig Fri Jan 14 17:10:53 2005 --- ./src/lib/krb5/os/dnsglue.c Thu May 5 11:39:52 2005 *************** *** 62,68 **** --- 62,76 ---- char *host, int nclass, int ntype) { #if HAVE_RES_NSEARCH + #ifndef LANL struct __res_state statbuf; + #else /* LANL */ + #ifndef _AIX + struct __res_state statbuf; + #else /* _AIX */ + struct { struct __res_state s; char pad[1024]; } statbuf; + #endif /* AIX */ + #endif /* LANL */ #endif struct krb5int_dns_state *ds; int len, ret; LOCATE_KDC.C Patch: >*** ./src/lib/krb5/os/locate_kdc.c.orig Thu May 5 08:06:45 2005 >--- ./src/lib/krb5/os/locate_kdc.c Thu May 5 11:34:27 2005 >*************** >*** 267,275 **** >--- 267,283 ---- > memset(&hint, 0, sizeof(hint)); > hint.ai_family = family; > hint.ai_socktype = socktype; >+ #ifndef LANL > #ifdef AI_NUMERICSERV > hint.ai_flags = AI_NUMERICSERV; > #endif >+ #else /* LANL */ >+ #ifndef _AIX >+ #ifdef AI_NUMERICSERV >+ hint.ai_flags = AI_NUMERICSERV; >+ #endif >+ #endif /* _AIX */ >+ #endif /* LANL */ > sprintf(portbuf, "%d", ntohs(port)); > sprintf(s...

Re: [TCPware V5.6-2,KERBEROS V2.1-72,VMS V7.3-2] TCPIP$IPC_SHR SHRIDMISMAT
At 03:10 PM 8/19/2005, Peter 'EPLAN' LANGSTOEGER wrote: >In article <6.1.2.0.2.20050819133657.023ebc48@raptor.psccos.com>, Dan >O'Reilly <dano@process.com> writes: > >Peter - > > > >At this time, you can't use Kerberos V2.1-72 on a TCPware system, so you'll > >have to regress back to the previous version (2.0-6). We're working on > >getting an ECO together to allow this, but it will be at least a week or > two, > >if not longer. > >Ok. In the meantime I found out that I already had this problem in Feb 200...

kinit: Cannot contact any KDC for requested realm while getting initial credentials
Hi, I am having problems with using kinit, with keytab and username/password. When issuing the kinit command I get the following error: kinit: Cannot contact any KDC for requested realm while getting initial credentials There is a firewall between the webservers where I issue the command from and the domain controller. The webservers are able to connect to the domain controller on port 88 over UDP. The webservers are able to resolve themselves and the domain controller, both forward and reverse lookup. Do any of you guys out there have an idea of what is going wrong? Many thanks, Celia ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: kinit request on keytab fails using 2K3sp1 KDC
David, The easiest solution to this problem is to use the ktpass which was shipped with Windows 2003, and not the one with SP1. Alternatively, you can use one of the many tools available that replace the need for ktpass, and use computer accounts for key storage. These tools do not suffer from the same issues as ktpass. It seems that the sp1 version of ktpass stores a key with a specific kvno in the keytab file, and the kvno in the domain controller for the same principal is different. This is why you cannot use the keytab file to authenticate. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 22 March 2006 17:09 To: kerberos@mit.edu Subject: kinit request on keytab fails using 2K3sp1 KDC Hello, I am testing a keytab obtained from a Windows 2003 Server (sp1) prior to configuring mod_auth_kerb. I have used the following command to generate a keytab on the KDC; ktpass -mapuser intsvcuser@smg.plc.uk -princ HTTP/connect.smg.plc.uk@SMG.PLC.UK +DesOnly -pass userspassword -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out "c:\krb5.keytab" The *nix server is running Solaris 9 with MIT krb5-1.4.3. I have transfered the keytab to /etc/krb5.keytab. When I run ; #/usr/local/bin/kinit -k -t /etc/krb5.keytab HTTP/connect.smg.plc.uk@SMG.PLC.UK I get the following error; kinit(v5): Preauthentication failed while getting initial credentials I am able to obtain a ticket directly ...

Re: Re: v5 for Mac #2
The first of these --- the (not) rotated text bug --- has not been fixed either. Another bizarre bug has popped up in 5.0: In text cells, lines are sometimes broken after apostrophes. So a word like can\[CloseCurlyQuote]t will break between \[CloseCurlyQuote] and t. Astonishing. I wonder if that happens in Windows too. ----- Selwyn Hollis http://www.math.armstrong.edu/faculty/hollis On Saturday, August 23, 2003, at 08:08 AM, Gary L. Gray wrote: > In article <bfgauh$8bi$1@smc.vnet.net>, > "Joshua A. Solomon" <J.A.Solomon@city.ac.uk> w...

RE: kinit request on keytab fails using 2K3sp1 KDC #4
David, I have seen this problem before. It does not occur with the pre-SP1 version of ktpass. Conclusion : If you want to create keytable files which have correct kvno's and which work correctly with des, then you must use the pre-SP1 version of ktpass. Thanks, Tim -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of David Telfer Sent: 23 March 2006 17:39 To: kerberos@mit.edu Subject: Re: kinit request on keytab fails using 2K3sp1 KDC Jeffrey Altman wrote: > Why do you need the kvno to be 1? It wasn't so much that they needed to match, more to tidy up the situation I had on the KDC. > For example, what is the enctype of the service ticket issued by the > KDC? Does that match the enctype of the keytab entry you are using? > > What do the following commands output? > > klist -e -k /etc/krb5.keytab > > kvno HTTP/connect.smg.plc.uk@SMG.PLC.UK > klist -e > This appears to be the problem, the keytab is being generated with DES CBD MD5, the service principal is sending an ArcFour encrypted tgt. The reason this never occured to me is that the user account has the 'use DES encryption for this account' setting ticked. I have tried the following process to force the service principal to be DES; 1 - create account 2 - run ktpass util with -mapop set +DesOnly and -crypto DES-CBC-MD5 options set. 3 - view account properites and ensure that 'use DES encryption f...

RE: kinit request on keytab fails using 2K3sp1 KDC #3
>From the determined kvno information, I am worried that starting again >will not resolve my issue. Assuming that the kvno is reset to 1, using >kvno and klist to determine the version number should return similar >results to above, but showing the number to be 1. What would the >difference be and would it resolve the pre-authentication issue? We found that even if we start again, we could not get the pre-auth to work. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Tim Alsop wrote: >>From the determined kvno information, I am worried that starting again >> will not resolve my issue. Assuming that the kvno is reset to 1, using > >> kvno and klist to determine the version number should return similar >> results to above, but showing the number to be 1. What would the >> difference be and would it resolve the pre-authentication issue? > > We found that even if we start again, we could not get the pre-auth to > work. The most important new functionality in the W2K SP1 version of KTPASS is that it allows you to export RC4-based keys instead of DES. Did you try using RC4 keys or were you only interested in using single DES? Jeffrey Altman ...

AIX 5.3: kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials
Hi list, kinit (krb5 1.4.2) on an AIX 5.3 gives me # /usr/local/bin/kinit -k -t foobar.keytab foobar/foo.example.net@EXAMPLE.NET kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials From a working Linux krb5 1.4.2 installation I copied /etc/krb5.conf and foobar.keytab to AIX 5.3. The following steps don't defer to the steps I did under Linux. # ./configure --without-krb4 --enable-shared # make && make install Using gcc 3.3.2. I found a patch for krb5 1.4.1 for AIX 5.2 from Ken Raeburn, but as far as I see it is fixed in 1.4.2. My krb5.conf looks like this: [libdefaults] default_realm = EXAMPLE.NET clockskew = 300 [realms] EXAMPLE.NET = { kdc = foo.example.net:88 admin_server = foo.example.net:749 default_domain = example.net kpasswd_server = foo.example.net } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [logging] default = SYSLOG:NOTICE:DAEMON kdc = FILE:/var/log/kdc.log kadmind = FILE:/var/log/kadmind.log [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 debug = false } Trying to analyze with tcpdump I s...

RE: Re[3]: wxGTK 2.4.2 / GTK+ 2.6.2 Drag and Drop locks up #2
Kevin - I'd love to do just that (I've already built 2.5.3 and am perusing the CVS logs for deltas as I compose this), but my boss(es) are big on only deploying 3rd-party libraries which have been blessed as "stable" to our customers (yes, I'm on a commercial endeavor), and it's hard for me to blame them from a risk standpoint. I look forward to 2.6 (or whatever is to be the next stable release). To that point - can someone point me to the policies/criteria/processes/thresholds/heuristics for deeming a particular release as a "snapshot" or "st...

Re: Re: Artinsoft and e-ASG contact #2
Well, I tried a _beta_ of queryx... but I didn't like it much... What it was nice about it is that it has an IDE and thin clients and it could ran 4gl on ultiple databases... much more than what IBM currently offer. But all in all I didn't dig into the 4gl. I have to get some time to try Aubit, and Genero. Chucho! -----Original Message----- From: Data Goob <datagoob@hotmail.com> To: informix-list@iiug.org Date: Sat, 06 Nov 2004 14:36:57 -0500 Subject: Re: Artinsoft and e-ASG contact So have you worked with Aubit 4GL or other non-IBM versions to get the features you want? Seems to be plenty of activity outside IBM for 4GL variants so it would seem odd that you couldn't get what you want to add to 4GL. -DG- Jean Sagi wrote: > Not really, I'm just being sarcastic ;) with "Artinsoft and e-ASG contact"... I never liked java/J2EE so much. > > I preferer 4gl more... are far simpler, but I agree is old and sometimes give a lot of trouble... It's just that, personally I would like to see a newer 4gl in terms of 4gl not in terms of EGL/Java/J2EE. > > Chucho! > > > -----Original Message----- > From: Nebojsa Sevo <remove_nebojsa.sevo@zg.htnet.hr> > To: informix-list@iiug.org > Date: Fri, 05 Nov 2004 08:06:39 +0100 > Subject: Re: Artinsoft and e-ASG contact > > Can you explain this? Did you have bad experiences with them or know that > somebody el...

Re: section 3.2 of protocol draft #2
>>>>> "Miek" == Miek Gieben <miekg@atoom.net> writes: Miek> A security-aware recursive name server MUST NOT attempt to Miek> answer a query by piecing together non validated, cached Miek> data (i.e. glue) it received in response to previous queries Miek> that requested different QNAMEs, QTYPEs, or QCLASSes. Yes, it is clearer IMO. But I think the security aware server should do that for all cached data, not just non-validated data. Suppose the resolver gets a signed answer that says the next name after a.foo is z.foo. Is i...

RE: MIT Kerberos and Solaris 10 Kerberos #2
BTW, as a further clarification, the system was installed initially using our MIT Kerberos build (i.e. the same as we use on all of the Solaris 8 machines). I am now trying to get it to work with the Solaris 10 SEAM. One problem I see immediately (refreshing my memory with a couple quick tests) is that, when using the Sol10 SEAM to install the keytab, I immediately get: # kadmin -p rheilke/admin Authenticating as principal rheilke/admin@ATCOTEST.CA with password. Password for rheilke/admin@ATCOTEST.CA: kadmin: ktadd host/salty.atcotest.ca kadmin: Communication failure with server while changing host/salty.atcotest.ca's key kadmin: So, the Sol10 SEAM cannot seem to talk to the KDC. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: > BTW, as a further clarification, the system was installed initially > using our MIT Kerberos build (i.e. the same as we use on all of the > Solaris 8 machines). I am now trying to get it to work with the Solaris > 10 SEAM. > > One problem I see immediately (refreshing my memory with a couple quick > tests) is that, when using the Sol10 SEAM to install the keytab, I > immediately get: > > # kadmin -p rheilke/admin > Authenticating as principal rheilke/admin@ATCOTEST.CA with password. > Password for rheilke/admin@ATCOTEST.CA: > kadmin: ktadd host/salty.atcotest.ca > kad...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

RE: Re[3]: wxGTK 2.4.2 / GTK+ 2.6.2 Drag and Drop locks up
Robert, I will when I get a chance; I'm focussed on fixing in 2.4.2 since that's what's "stable." See my related message re: gdk_pointer_ungrab for my current workaround. Thanks for your interest, Chris -----Original Message----- From: Robert Roebling [mailto:robert@roebling.de]=20 Sent: Friday, February 25, 2005 11:29 AM To: wx-users@lists.wxwidgets.org Subject: Re[3]: wxGTK 2.4.2 / GTK+ 2.6.2 Drag and Drop locks up Smouse, Chris: > Okay, everyone - I have written a minimal (~150 lines) test using=20 > wxGrid and DnD, and am able to r...

RE: Re[2]: [Mac, 2.8.2]
I agree that this is a good idea. I don't think we would need mac specific code, as I think the interface and implementation can be done on the generic interface of the wx controls. For the time being, all I was thinking of doing is a simple "if" where needed in the wxTextValidator to know whether it's dealing with a combo-box or text edit control (pretty much like the generic validator does). It seems to me very simple to do so, and that is definitely something I can do. As for creating a wxTextEntryIFace, I'm not 100% sure I understand your design concept. ...

RE: [tao-users] Re: Requests arriving between deactivate_object and etherealize #2
Hi, Do you have an update on the regression test? The new POA implementation is in cvs, we are handling the last issues but it would be great if we can fix your problem before the x.4.5 release. Johnny > -----Original Message----- > From: owner-tao-users@cse.wustl.edu > [mailto:owner-tao-users@cse.wustl.edu] On Behalf Of Johnny Willemsen > Sent: vrijdag 4 februari 2005 20:32 > To: 'Eider Oliveira' > Cc: tao-users@cs.wustl.edu > Subject: RE: [tao-users] Re: Requests arriving between > deactivate_object and etherealize > > Hi, > > > I'll write the regression test. > > Thanks very much! At the moment you have the regression test > ready, can you > make a bugzilla entry and file it there (see > http://deuce.doc.wustl.edu/bugzilla/index.cgi). Then the test and the > problem doesn't get lost in all the hectic work. > > Johnny > > > > > > On Thu, 3 Feb 2005 22:49:58 +0100, Johnny Willemsen > > <jwillemsen@remedy.nl> wrote: > > > Hi Eider, > > > > > > Thanks for using the PRF form. Would you be able to write a > > small regression > > > test that reproduces this problem. After the upcoming x.4.4 > > release we will > > > checkin a complete rewrite of the PortableServer library. > > The code you > > > mentioned has been refactored and already several ...

RE: [tao-users] Re: Requests arriving between deactivate_object and etherealize #2
Hi, > I'll write the regression test. Thanks very much! At the moment you have the regression test ready, can you make a bugzilla entry and file it there (see http://deuce.doc.wustl.edu/bugzilla/index.cgi). Then the test and the problem doesn't get lost in all the hectic work. Johnny > > > On Thu, 3 Feb 2005 22:49:58 +0100, Johnny Willemsen > <jwillemsen@remedy.nl> wrote: > > Hi Eider, > > > > Thanks for using the PRF form. Would you be able to write a > small regression > > test that reproduces this problem. After the upcoming x.4.4 > release we will > > checkin a complete rewrite of the PortableServer library. > The code you > > mentioned has been refactored and already several issues > has been resolved. > > When you could send us a regression test it will help us to > fix the problem > > then. > > > > For a peek at the new ServantActivator handling. > > > http://cvs.doc.wustl.edu/cvsweb.cgi/ACE_wrappers/TAO/tao/Porta > bleServer/Atti > > c/RequestProcessingStrategyServantActivator.cpp > > > > Regards, > > > > Johnny Willemsen > > Remedy IT > > Leeghwaterstraat 25 > > 2811 DT Reeuwijk > > The Netherlands > > www.theaceorb.nl / www.remedy.nl > > > > > > > This still valid for TAO 1.4.3, as I checked in the source code. ...

AD KDC - msktutil
Hi, I have this error (see subject) when using msktutil. Any idea what's wrong with my setup? (I've replaced hostnames and OU structure) /etc/krb5.conf (part) ========== [libdefaults] default_realm = EXAMPLE.ORG dns_lookup_realm = false dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.ORG = { default_domain = msnet.railb.be kdc = ictdc01.example.org admin_server = ictdc01.example.org admin_keytab = FILE:/etc/krb5.keytab } [domain_realm] .example.org = EXAMPLE.ORG example.org = EXAMPLE.ORG msktutil --create -h tstweb01 -b "OU=Linux Servers" --server ictdc01 -- verbose -- init_password: Wiping the computer password structure -- get_default_keytab: Obtaining the default keytab name: FILE:/etc/ krb5.keytab -- create_fake_krb5_conf: Created a fake krb5.conf file: / tmp/.msktkrb5.conf-fbUui1 -- reload: Reloading Kerberos Context -- get_short_hostname: Determined short hostname: tstweb01 -- finalize_exec: SAM Account Name is: tstweb01$ -- try_machine_keytab_princ: Trying to authenticate for tstweb01$ from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (No such file or directory) -- try_machine_keytab_princ: Authentication with keytab failed -- try_machine_keytab_princ: Trying to authenticate for host/ tstweb01.example.org from local keytab... -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed (Client not found in Kerberos ...

Re: Re[2]: (wx-users) Re: problems with wxMSW 2.8.0
VZ wrote on 25-JAN-2007 12:42:40.23 >JJ> In the application the bitmap (and also lines, text etc..) are generated by a >JJ> a procedure that is called from another language than c++ (i.e. C or F90) > > Why should it matter? > >JJ> By doing so the EVT_PAINT is not activated and the class of "canvas" is not >JJ> known. > > I don't understand this, sorry. The problem is that some c++ objects are not properly defined. One would like to call routines bbbb::ccccc. But that is not always allowed. >>JJ> So you need at least a way to force the EVT_PAINT (how do I do this?). >>JJ> However, I prefer the code as it is (and works in wxGTK) so that I can >>JJ> "draw directly" to the window, without manualy calling the event-handler. > > This is wrong if only because your window won't be repainted correctly if >the user covers it with another one or minimizes and then restores it. Not when these are temporary drawings like "counters". Ofcourse I also wrote the bitmap at repaint-time. To have everyting in the EVT_PAINT routine requires a lot of book-keeping of the program about what was drawn and what was erased etc. Cannot this be automated? In X-windows I normally switch on the Backingstore option, which keeps an image of the window in memory at the server side. Can this also be done in wxWidgets? >JJ> What would be the reason for w...

RE: Re[2]: [Mac, 2.8.2] Handling menu open event
Yes, but the code that wants to hook to the menu, doesn't have direct access to the frame. So the question is this: Should I change my code so I have access to the frame, or can I just access one of the menus in the menubar and get the frame from it? > -----Original Message----- > From: Vadim Zeitlin [mailto:vadim@wxwidgets.org] > Sent: Tuesday, July 17, 2007 2:47 PM > To: wx-users@lists.wxwidgets.org > Subject: Re[2]: [Mac, 2.8.2] Handling menu open event >=20 > On Tue, 17 Jul 2007 15:04:21 +0200 Yaron Tadmor <YaronT@HumanEyes.com> > wrote: >=20 > YT> So I would have to know what frame the menu belongs to, right? >=20 > Well, yes, but you already must know it to add a menu to it, don't you? > VZ >=20 > -- > TT-Solutions: wxWidgets consultancy and technical support > http://www.tt-solutions.com/ >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: wx-users-unsubscribe@lists.wxwidgets.org > For additional commands, e-mail: wx-users-help@lists.wxwidgets.org >=20 --------------------------------------------------------------------- To unsubscribe, e-mail: wx-users-unsubscribe@lists.wxwidgets.org For additional commands, e-mail: wx-users-help@lists.wxwidgets.org On Tue, 17 Jul 2007 15:52:47 +0200 Yaron Tadmor <YaronT@HumanEyes.com> wrote: YT> Yes, but the code that wants ...

Web resources about - Re: kinit(v5): Cannot contact any KDC for requested...... #2 - comp.protocols.kerberos

Category:Wikipedia requested photographs in Durham County, North Carolina - Wikipedia, the free encyclopedia ...
Category:Wikipedia requested photographs in Durham County, North Carolina - Wikipedia, the free encyclopedia ...

The article requested cannot be found! Please refresh your browser or go back. (CP,20120705,,-1,AR).
postandcourier.com delivers the latest breaking news and information on the latest top stories, weather, business, entertainment, politics, and ...

Somali refugee deported after claims she rejected the abortion she requested
The Somali refugee who says she was raped on Nauru and asked for an urgent abortion in Australia has been returned to the island, with claims ...

Nathan Tinkler says $53,000 in illegal donations was for federal Liberal party as requested by former ...
CONTROVERSIAL mining magnate Nathan Tinkler has &#173;explained his role in $53,000 in &#173;illegal donations to the NSW Liberals by telling ...

Cardinal George Pell says he will give evidence to commission into child sexual abuse if requested
Serial child sex offender and paedophile priest Gerald Ridsdale says he never asked George Pell to support him when he first faced court over ...

Bombardier drops requested injunction against strikers
Bombardier and Unifor officials spent hours in the Thunder Bay courthouse on Wednesday coming to an agreement on picket line protocol as 900 ...

404 - Requested Page Not Found
Canadian news and headlines from around the world. Live breaking news, national news, sports, business, entertainment, health, politics and more ...

404 - Requested Page Not Found
CTV News - Edmonton - Breaking news, local headlines and top stories from Edmonton and Alberta, Canada and around the world. Sports, Weather, ...

Fort Hood shooting suspect had requested leave, army says
Army investigators havereleased a more detailed timeline of last week's fatal shootings at Fort Hood, describing an eight-minute rampage in which ...

B.C. Teachers Strike 2014: Mediation Requested By Union
VANCOUVER - With no sign of a deal on the horizon, British Columbia's unionized teachers called Thursday for mediation in hopes an independent ...

Resources last updated: 3/10/2016 11:17:01 PM