f



RE: MIT Kerberos and Solaris 10 Kerberos - never mind last question #2

> possibly 'su' with pam_krb5 for the authentication.  Its not quite
> the same as 'ksu', though.

Douglas says the same. The su man page indicates something about this,
but not a lot of details there. I'll look into this further. As far as a
co-worker is concerned (and in our environment, I can see his point),
this would be a show stopper. We use ksu for all sorts of things,
including giving DBA's access to Oracle ID's.

Thanks again for all of the help. I'll go through the su and pam.conf
man pages, and see if I can figure it out.

Rainer

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
1/11/2005 10:28:19 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

1 Replies
578 Views

Similar Articles

[PageSpeed] 38


Heilke, Rainer wrote:

>>possibly 'su' with pam_krb5 for the authentication.  Its not quite
>>the same as 'ksu', though.
> 
> 
> Douglas says the same. The su man page indicates something about this,
> but not a lot of details there. I'll look into this further. As far as a
> co-worker is concerned (and in our environment, I can see his point),
> this would be a show stopper. We use ksu for all sorts of things,
> including giving DBA's access to Oracle ID's.
> 
> Thanks again for all of the help. I'll go through the su and pam.conf
> man pages, and see if I can figure it out.

Make sure you have a root window open before testing PAM. I stumbled on
this when I tried to su and my test pam exit failed!


> 
> Rainer
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
deengert (574)
1/11/2005 11:14:47 PM
Reply:

Similar Artilces:

RE: MIT Kerberos and Solaris 10 Kerberos #2
BTW, as a further clarification, the system was installed initially using our MIT Kerberos build (i.e. the same as we use on all of the Solaris 8 machines). I am now trying to get it to work with the Solaris 10 SEAM. One problem I see immediately (refreshing my memory with a couple quick tests) is that, when using the Sol10 SEAM to install the keytab, I immediately get: # kadmin -p rheilke/admin Authenticating as principal rheilke/admin@ATCOTEST.CA with password. Password for rheilke/admin@ATCOTEST.CA: kadmin: ktadd host/salty.atcotest.ca kadmin: Communication failure with server while changing host/salty.atcotest.ca's key kadmin: So, the Sol10 SEAM cannot seem to talk to the KDC. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: > BTW, as a further clarification, the system was installed initially > using our MIT Kerberos build (i.e. the same as we use on all of the > Solaris 8 machines). I am now trying to get it to work with the Solaris > 10 SEAM. > > One problem I see immediately (refreshing my memory with a couple quick > tests) is that, when using the Sol10 SEAM to install the keytab, I > immediately get: > > # kadmin -p rheilke/admin > Authenticating as principal rheilke/admin@ATCOTEST.CA with password. > Password for rheilke/admin@ATCOTEST.CA: > kadmin: ktadd host/salty.atcotest.ca > kad...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

RE: MIT Kerberos and Solaris 10 Kerberos #5
> > Can we force the Sol10 box to only use DES, to be > compatible with the > > Sol8/MIT systems (which is everything but the one Sol10 box)? > > If you are using MIT Kerberos on the Solaris 8 systems (including > pam_krb5 made for MIT, not the one that comes with SEAM), then > you should not worry about the enctypes because MIT already > supports all of the enctypes that S10 supports. > > The only time you need to worry about enctypes is when you > are using pre-S10 systems with SEAM apps. IN that situation, > ONLY the pre-solaris 10 systems need to have the DES keys, > it is perfectly acceptable for the S10 systems to have AES > and S8/S9 to have DES. This should not affect interop if > your keytabs are correctly populated on the pre-S10 boxes. Excellent, thanks. That makes life significantly easier. > earlier comments, > > they already are DES; is that correct? > > > > Not necessarily. If your S8 systems are MIT, then you don't > really need to worry much about the enctype support because > MIT has support for all enctypes (DES through AES-256). Right, as per your comments above. :-) > If you use a 3rd party pam_krb5 library that links with MIT > Kerberos, then you should not have any enctype issues on > Solaris 8. We aren't using any Sol8 SEAM (all MIT, except for the new Sol10 box), using the MIT libs. > You may be seeing problems on your S8 systems because ...

RE: MIT Kerberos and Solaris 10 Kerberos #3
Thanks for the response. Please see inline... > In Solaris 10, all of the Kerberos services are already bundled, > there is no longer any external packages that need to be added. Right. > Whoever told you 'ksu' was part of the encryption kit was mistaken, > ksu has never been part of SEAM. OK, thanks for that clarification. It was a bit of a surprise to me when I was told it was there. So, does the Solaris 10 SEAM have any functionality similar to ksu, or just the standard su command? > The encryption kit for Solaris 10 enhances the overall crypto > capabilities of the system, the only benefit Kerberos gets is > that it can support AES-256 with the S10 encryption kit. > Without the S10 encryption kit, the strongest AES crypto > available for Kerberos in S10 is AES-128. And this fits more with what I understood, before my co-worker's comments. > On the S10 system, you must make sure to enable the "eklogin" service. > Run this command (as root): > > # svcadm enable eklogin Hmm. That may be a good part of my problem. I added the inetd.conf entry for the old (MIT) eklogin, and ran inetconv. So, this is probably really confusing the system. I'll try to revert that, and do the svcadm. > For Solaris 8 with the SEAM rlogin daemon, make sure your > inetd.conf entries > are correct. We don't actually run SEAM on any Sol8 systems; it's all MIT. > Don't bother with inetd.conf in S10, ...

RE: MIT Kerberos and Solaris 10 Kerberos #4
Thanks. We'll have to keep our eyes open for 5-1.4. Rainer > -----Original Message----- > From: Tom Yu [mailto:tlyu@mit.edu] > Sent: Tuesday, January 11, 2005 11:12 AM > To: Wyllys Ingersoll > Cc: Heilke, Rainer; kerberos@mit.edu > Subject: Re: MIT Kerberos and Solaris 10 Kerberos > > > >>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll@sun.com> writes: > > Wyllys> That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > Wyllys> MIT uses a slightly different RPC protocol. > > [...] > > Wyllys> There have been patches submitted to the MIT codebase to make > Wyllys> it able to support RPCSEC_GSS (and thus interop with > Solaris kadmin), > Wyllys> but Im not sure if those are in the latest release or not. > > RPCSEC_GSS support will be present in krb5-1.4 (currently in beta). I > have done a brief successful interop test against SEAM's kadmin > protocol. Independent confirmation would be useful. > > ---Tom > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: MIT Kerberos and Solaris 10 Kerberos #6
OK, I think I have fixed the services. I have: # svcs -v | grep login online - 13:25:02 35 svc:/system/console-login:default online - 13:25:11 - svc:/network/login:eklogin online - 13:25:12 - svc:/network/login:klogin online - 13:25:12 - svc:/network/login:rlogin (Just to make sure, those ARE the correct versions? The ones I removed looked like: # svcadm disable svc:/network/klogin/tcp:default # svcadm disable svc:/network/eklogin/tcp:default The first entry in the svcs listing is, I assume, my root console login via the terminal server.) Or did I cancel the wrong two? If I use the MIT rlogin to go to another server, this fails (and no message gets logged on the KDC). I expect this is correct behaviour (needing the SEAM version). So, where do I find the Solaris 10 SEAM version of rlogin? The rlogin in /bin seems to be the old, un-Kerberized one, or is this actually a Kerberized one? In which case, it never seems to get a connection, and again, doesn't log anything on the KDC. I can use the Solaris 8/MIT rlogin to go from one of the old Solaris 8/MIT systems to the Solaris 10 box. Thanks again. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos e@atcoitek.com wrote: > OK, I think I have fixed the services. I have: > # svcs -v | grep login > online ...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of keeping the thread complete, I'll put it to the list as well. R > That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > MIT uses a slightly different RPC protocol. This is not a new > issue, its been a problem ever since we introduced SEAM. > > The solution is that if your KDC is MIT, then you must use the MIT > 'kadmin' client to manage it. OK, thanks. So, I'll have to keep the MIT binaries around as well... Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

MIT Kerberos or Heimdal Kerberos?
Hi, How do I know the server install in the system is MIT Kerberos or Heimdal? I m using FreeBSD 5.2.1 Thanks sam ...

Using Solaris 10 built in Kerberos support with Kerberos application
In an attempt to use vendor provided Kerberos support where possible, we have been able to use the Solaris 10 Kerberos and the Solaris provided kinit, pam_krb5 and ssh or any application that uses Kerberos via GSSAPI. But we have a number of other Kerberos applications, including qpop for Kerberized pop service, aklog with OpenAFS and kerberized CVS. The problem is that Solaris only exposes Kerberos via GSSAPI, and does not provide the krb5.h files or the normal Kerberos libraries. *What I would like to ask SUN is to include the krb5.h and its friends with the Solaris 10 base system.* To get around this, http:/www.opesolaris.org/source/xref/usr/src/uts/common/gsspai/mechs/krb5/include has a krb5.h that appears to match the /usr/lib/gss/mech_krb5.so that comes with Solaris 10. (I actually downloaded the tarfile to get the header files.) I have managed to get qpop-4.0.5 and OpenAFS-1.4.0-RC1 aklog to compile and run using this krb5.h with some modification, and the MIT-1.4.1 profile.h and com_err.h. Some problems along the way: o mech_krb5.so has most of the Kerberos routines and can be used as a shared library, but is clumsy to link as its not a "libxxx" o The opensolaris krb5.h is not guaranteed to match the mech_krb5.so o The krb5.h refers to profile.h which is not supplied. o Many of the Kerberos applications also use com_err.h which is not supplied. o There is no com_err add_error_table. o Solaris does not have krb524. So aklo...

RE: Kerberos on Solaris 9 #2
Laurent, I gave up trying to get Sun's Kerberos working on Solaris 9. I installed the MIT 1.3.3 binaries on my sun box which is an application server. I configured my /etc/krb5.conf, /etc/inetd.conf and my /etc/krb5.keytab file. When I telnet to the sun box, I get logged in automatically (e.g. I see the "Last login: xxx" line appear) and then I get asked for a password again. I know that this is solaris asking for the password again (and not Kerberos). I do not have anything set in /etc/pam.conf and have read that Sun's pam_krb.so.1 is not compatible with MIT Kerberos. What do I need to do to pam to get this working properly? TIA Pierre -----Original Message----- From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On Behalf Of Laurent Bailly Sent: Saturday, May 29, 2004 4:52 AM To: kerberos@MIT.EDU Subject: Re: Kerberos on Solaris 9 Hi, All depends on your pam.conf configuration. To troubleshoot : - First, try to put some order in your pam.conf (login section then telnet, ... other ) It will help to modify pam during tests. - Add entries syslog.conf for auth.debug and *.debug. - Then put pam in debug mode (touch /etc/pam_debug) - Tail the kdc.log - You can also install ethereal to monitor package exchange. => It helps me to fine tune pam.conf. LBA -- <laurent.bailly@swing.be> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerber...

Re: Openssh, kerberos and Solaris 10
>libraries in... Not even sure they have GSSAPI at all, maybe just GSS? > Does anyone have any hints on this, or has anyone ever done it? Or >maybe a better place to post? Solaris supports GSS-API but does not expose the Kerberos API or any of the Kerberos mechanism-specific extensions. So whether it's possible to make it work with SEAM depends on what APIs OpenSSH uses... -- Luke -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters such as the home directory could also be passed. This would then allow simple code in OpenSSH that does not depend on OpenAFS, Hiemdal or MIT code to fork/exec the process that does all the work. This would be called by the process that would eventially become the user's shell process and is run as the user. OpenSSH could be built on systems that may or may not have AFS installed and run on a system with or without AFS. The decision is based on the existence of the executable and any options in sshd_config. In its simplest form, all that is needed is: system("/usr/ssh/libexec/aklog -setpag") This is a little over simplified as there should be a test if the executable exists, processing of some return codes, making sure the environment is set, setting some time limit. etc. But the point is there is no compile dependence on OpenAFS, MIT or Hiemdal by the Op...

Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD base system with the MIT Kerberos libraries installed from the security/krb5 port? I know about the KRB5_HOME make option. I'm concerned about other "Kerberized" applications not working properly because they use the wrong client libraries, hence my desire to completely replace Heimdal with MIT Kerberos. The Heimdal Kerberos libraries shipped with the FreeBSD base system don't support TCP, so when a KDC replies to a client request with a response larger than the maximum UDP packet size, the Kerberos libraries return an error to the client instead of switching to TCP (which can handle large responses). I routinely encounter this problem when integrating FreeBSD servers and workstations into Windows Active Directory domains, where the KDC responses include additional authorization data derived from a security principal's group memberships: Samba's "net ads join" command fails with a "response too big for for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and everything else works properly) when linked against MIT Kerberos. (Note that I'm not willing to debate the semi-standard/non-standard inclusion of authorization data in a Kerberos ticket's PAC, nor am I willing to argue the applicability of the aforementioned operating systems to their assigned tasks.) Best wishes, Matthew ...

Important Notice Regarding Kerberos 4 Support in MIT Kerberos
This comes from a message distributed to another list but I thought it might be useful here too. On January 27th of this year, the MIT Kerberos Development team announced plans to phase out support for Kerberos 4 in MIT Kerberos, including v4 support in Kerberos for Macintosh and Kerberos for Windows. We strongly recommend that all sites currently using Kerberos 4 migrate their services and users to Kerberos 5 as soon as possible. The MIT Kerberos team is making substantial changes to the client-side initial ticket acquisition support in the next release of Kerberos. These changes will improve the user experience for users who get tickets for multiple realms that do not share keys. Because we are no longer dedicating resources for new Kerberos 4 features, this new code will only support Kerberos 5. As a result, sites using Kerberos 4 will not be able to take advantage of this new feature. In addition, since this feature will be replacing existing code in Kerberos for Macintosh and Kerberos for Windows, the Kerberos 4 user experience on Windows and Mac OS X will be noticeably worse than in previous releases. The first major changes which impact Kerberos 4 support are currently scheduled for krb5-1.5 (May of 2006), Kerberos for Macintosh 6.0 (which will ship with Mac OS X Leopard), and Kerberos for Windows 3.1 (approximately June 2006). We have no plans to remove Kerberos 4 support from earlier major releases of any of our products (ie: krb5 1.4.x, KfM 5.5.x (Tiger) a...

A Query on MIT Kerberos code base and latest RFC on Kerberos ?
Hi All, I have a small query regarding MIT Kerberos and it will be kind if anyone can address it. I wanted to know whether the latest RFC's: RFC 4120 - The Kerberos Network Authentication Service (V5) RFC 4121 - The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2 ...are already a part of MIT Kerberos code base or is it schedule to be a part for MIT code base ? If so what will be the rough time frame. � Thanks n regards, Prashant ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Re: Account lockout support in Solaris 10 when authenticating against Kerberos
Hi! Guys, =20 We are trying to authenticate users against Kerberos on Solaris 10. =20 I found that MIT Kerberos does not support account lockout and/or inactive account lockout features. =20 Does anybody know how to implement account lockout features on Solaris 10 when the user authenticates against Kerberos? =20 Since without account lockout support, it would be an acceptable security risk for our customers. =20 Thanks, =20 Ming =20 =20 =20 =20 DISCLAIMER: Important Notice ************************************************* This e-mail may contain information that is confidential, privileged or = otherwise protected from disclosure. If you are not an intended = recipient of this e-mail, do not duplicate or redistribute it by any = means. Please delete it and any attachments and notify the sender that = you have received it in error. Unintended recipients are prohibited from = taking action on the basis of information in this e-mail.E-mail messages = may contain computer viruses or other defects, may not be accurately = replicated on other systems, or may be intercepted, deleted or = interfered with without the knowledge of the sender or the intended = recipient. If you are not comfortable with the risks associated with = e-mail messages, you may decide not to use e-mail to communicate with = IPC. IPC reserves the right, to the extent and under circumstance...

Question about Kerberos #2
Hallo, I have a short question: I have tried out the Kerberos system under Windows XP. It seems, that for Windows, there is only a Windows Client for Kerberos available. Please give me an information, where I can find the kadmin server for this OS. Should it build through the sources ?? Thanks in advance Peter ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Peter Brungs wrote: > Hallo, > > I have a short question: > > I have tried out the Kerberos system under Windows XP. It seems, that for > Windows, there is only a Windows Client for Kerberos available. > Please give me an information, where I can find the kadmin server for this > OS. > > Should it build through the sources ?? > > Thanks in advance > > Peter MIT Kerberos does not build the server libraries or applications for Microsoft Windows. Jeffrey Altman Peter Brungs wrote: > I have tried out the Kerberos system under Windows XP. It seems, that for > Windows, there is only a Windows Client for Kerberos available. > Please give me an information, where I can find the kadmin server for this > OS. The operating system (Windows Server) provides a KDC implementation. Regards, Martin ...

Solaris 10 and Kerberos
Hello, In order to compile applications with Kerberos support (e.g. Samba), is it necessary to install a Kerberos package like MIT or Heimdal or is it possible with plain Solaris. I see that there are Kerberos libraries, kerberized applications and a kdc shipped but I don't find the necessary header files. Or is there an additional package available that must be installed? best regards, Thomas Thomas Muders <dermudi@hotmail.com> writes: > In order to compile applications with Kerberos support (e.g. Samba), > is it necessary to install a Kerberos package like MIT or Heimdal or > is it possible with plain Solaris. SEAM doesn't export the Kerberos interfaces, at least in part because they aren't standardized. It does export the (standardized) GSSAPI interfaces. If Samba needs the Kerberos interfaces, you'll have to install MIT or Heimdal Kerberos. If you need a more definitive answer, try comp.protocols.kerberos; that group is gated to the kerberos mailing list at MIT, which some of the SEAM developers read. -dan ...

Solaris Kerberos question
Greetings: I have just installed Solaris 9 (SPARC) on a couple of servers using the jumpstart-from-a-server-on-the-net method (I mention this only in case it's relevant). I then apply the latest Solaris 9 patch cluster and then install the Sun C compiler. I created a user and on both systems when I log in via SSH, this message appears on the console: Apr 26 15:28:18 webdev sshd[324]: Kerberos mechanism library initialization error: No profile file open. Google shows a couple of pages where others have reported the same error message, but I can't find a solution. Can anyone...

RE: MIT/Win2k/XP Kerberos trust relationship bug? #2
Sorry, I misspoke earlier, I do notice similar behavior, but once I access anything requiring Kerberos (SPNEGO) I get tickets. I do notice that I don't get CIFS tickets, which may be the bug that Rodney refered to. If you unsync the passwords between the mit realm and the ad realm, NTLM won't ever work, it forces Kerberos. -dan > -----Original Message----- > From: Brian Davidson [mailto:bdavids1@gmu.edu] > Sent: Tuesday, July 13, 2004 12:39 PM > To: kerberos@mit.edu > Subject: Re: MIT/Win2k/XP Kerberos trust relationship bug? > > Yes, this is what I'm talking about. I see this issue on every single > Windows XP system I've tried it on (quite a few). > > When I unlock the workstation, I have a TGT for the MIT realm, and a > host ticket for the AD realm. All other AD tickets are gone, including > the cross realm TGT for the AD and the LDAP and CIFS tickets from the > AD realm. > > What's even more troubling is that sometimes I still can access some > shares, even without a ticket. But that's a separate issue... > > Brian > > On Jul 13, 2004, at 2:27 PM, Wachdorf, Daniel R wrote: > > > Are you talking a login using the windows gina and typing in > > username@MIT.REALM? Which then uses trust between MIT.REALM and > > ACTIVEDIRECTORY.REALM? > > > > When I run that, I don't have the problem. I can lock my XP box fine, > > come > > back ...

Problem compiling MIT Kerberos 5
KernelPacket, Did you get a resolution to this problem? I am getting the exact same error message. Thanks Russ... ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos i have resolved all the issues. exactly what is your problem? Haskins, Russell wrote: >KernelPacket, > >Did you get a resolution to this problem? I am getting the exact same >error message. > >Thanks Russ... >________________________________________________ >Kerberos mailing list Kerberos@mit.edu >https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: MIT Kerberos 1.4.1, Solaris 8, & AD SSO
Error code 52 is the error returned by AD indicating your UDP packet was too big, and thus it wants to do TCP. Windows puts the PAC in the ticket to provide extra authentication information. Older versions of Kerberos don't support TCP, and thus don't know what to do. -dan -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Haskins, Russell Sent: Wednesday, June 29, 2005 3:56 PM To: kerberos@mit.edu Subject: MIT Kerberos 1.4.1, Solaris 8, & AD SSO I am trying to get Single-Sing-On working with the *NIX boxes on our campus network. The Windows AD is controlled by our outsourced IT group so we can't drive any requirements on it. I have my Redhat Enterprise Linux boxes authenticating correctly to the AD domain. However I've hit the wall with Solaris 8 (we have a mix of Solaris, I started with 8). I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04 system. I configured the /etc/krb5.conf for the AD domain and kinit returns a ticket (works as root or unprivileged user). I configured /etc/pam.conf for kerberos: # PAM configuration # # This file is configured to try pam_unix first, then pam_krb5 # # Authentication management # other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1 other auth required /usr/lib/security/$ISA/pam_krb5.so.1 use_first_pass # # Account management # # pam_krb5 has a no-op account module, so we don't bother listing it here # other account requisite /usr...

samba/kerberos compile question on Mac OS X Server 10.2.6
--===============43516580462007148== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-FrTx70PVTOATHQqlQ80Z" --=-FrTx70PVTOATHQqlQ80Z Content-Type: text/plain Content-Transfer-Encoding: quoted-printable My apologies if this is the wrong forum for this question, but I have been = asked to=20 relay this question to the kerberos list, having already contacted both the= samba and UM macsig lists. I'm trying to get samba compiled on mac os x server With active directory s= upport. =20 Samba 3 with active directory will in theory let somebody authenticate thro= ugh AD,=20 so users on machines connected to a samba 3 PDC could in theory login with=20 their Kerberos credentials. I am getting several kerberos related errors i= n=20 getting samba to compile properly. One of the problems is that I'm not exa= ctly sure what version of kerberos is installed on mac os x server, nor if it is poss= ible to upgrade it. Any information you might have on recognizing and/or fixing this error= would be appreciated. I've managed to get samba 3_0 (still in late beta) to compile cleanly as=20 long as I disable AD, by passing the --disable-ads flag to ./configure.=20 While this has allowed me to get samba to act as a PDC that then=20 authenticates to the OpenLDAP server built-in to Mac OS X Server, it=20 doesn't achieve my goal of kerberized logins from windows with samba, and I= =20 don't want to have ...

RE: BC-SNC, MIT Kerberos V, SSO, GSS-API v2 #2
Calin, I appreciate your email. Thanks, and good luck. Regards, Tim. -----Original Message----- From: Barbat, Calin [mailto:c.barbat@osram.de] Sent: 17 August 2004 08:13 To: Tim Alsop Cc: kerberos@mit.edu Subject: AW: BC-SNC, MIT Kerberos V, SSO, GSS-API v2 Tim, I'm not interested in a commercial product, I already know there are several certified products around there; but e.g. the Duke University uses MIT Kerberos to do the job - seen it yesterday on URL: http://www.oit.duke.edu/techsupport/sap/sapgui/linux/ So I'd like to figure out how to properly configure Kerberos, as the libgssapi_krb5.so seems to work out of the box for them. Anyway, thank you for your marketing effort, Calin Barbat. -----Urspr�ngliche Nachricht----- Von: Tim Alsop [mailto:Tim.Alsop@CyberSafe.Ltd.UK] Gesendet: Montag, 16. August 2004 18:59 An: Barbat, Calin Cc: kerberos@mit.edu Betreff: RE: BC-SNC, MIT Kerberos V, SSO, GSS-API v2 Calin, We can solve this problem using our GSS library which works in a consistent manner with SAP SNC on all platforms (including Linux). Our product is "Certified for SAP NetWeaver" So, if you are interested in a BC-SNC supported gss library for Linux please refer to www.cybersafe.ltd.uk/links/sap.htm Let me know if you have any further questions by emailing me off-list. Thanks, Tim. -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Barbat, Calin Sent: 13 August 2004 10:37 To: kerber...

Web resources about - RE: MIT Kerberos and Solaris 10 Kerberos - never mind last question #2 - comp.protocols.kerberos

Kerberos (protocol) - Wikipedia, the free encyclopedia
MIT developed Kerberos to protect network services provided by Project Athena . The protocol is based on the earlier Needham-Schroeder Symmetric ...

Trekkies miss out after push to name Pluto moon 'Vulcan' fails; Kerberos and Styx chosen instead
BAD news, 'Star Trek' fans: Pluto's fourth and fifth moons have been named Kerberos and Styx, despite 'Vulcan' being the top suggestion.

Meet Pluto's smallest moons: Kerberos and Styx
Pluto's two smallest known moons have been officially named after characters associated with the underworld of Greek and Roman mythology.

Pluto's moons named Styx and Kerberos, despite vote for Vulcan
... Astronomical Union vetoed a public vote to name one of Pluto's two most recently discovered moons Vulcan and named the moons Styx and Kerberos. ...

Meet Styx and Kerberos, Pluto's newly named moons
... of new moons orbiting Pluto (at SETI's behest), it decided to do some planetoid naming, too. Today, SETI announced those names: Styx and Kerberos. ...

Microsoft Issues Emergency Patch for Kerberos Bug
The vulnerability could enable an attacker to elevate privileges. Microsoft recommends that organizations consider rebuilding their Windows domains. ...

Kerberos Productions Offers Expertise to President on the Weaponization of Outer Space
... game violence to the President and Vice-President of the United States, Sword of the Stars 1 & 2, Fort Zombie, and NorthStar developer Kerberos ...

The fourth and fifth moons of Pluto have officially been named Kerberos and Styx, respectively.
The fourth and fifth moons of Pluto have officially been named Kerberos and Styx , respectively. The Earth's moon is still named fucking "Aiden." ...

Poll For Pluto's Moons Closes, Vulcan and Kerberos Win - Geekosystem
First the SETI Institute put it up for vote, then the geeks and nerds swarmed the Internet, and now it's as certain as it can be before the International ...

Kerberos unleashed at last: Pluto’s dog-bone moon poses another mystery
NASA’s New Horizons probe has finally filled out its family portrait of Pluto and its moons – and Kerberos, the last moon to get its closeup, ...

Resources last updated: 3/10/2016 2:48:52 PM