f



Strange klist output, missing realm in service principal name

--nextPart1798037.jSJdF9ILW1
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi all,=20

I am wondering what (if anything) is wrong with the following output=20
from klist. This is after authenticating against a kerberized Apache=20
server with Firefox and negotiation enabled:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: daff@EXAMPLE.COM

Valid starting     Expires            Service principal
12/17/10 05:47:13  12/17/10 15:47:13  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 12/18/10 05:50:05
12/17/10 05:47:45  12/17/10 15:47:13  HTTP/dev.example.com@
        renew until 12/18/10 05:50:05
12/17/10 05:47:45  12/17/10 15:47:13  HTTP/dev.example.com@EXAMPLE.COM
        renew until 12/18/10 05:50:05

Notice the first HTTP entry, the realm part after the "@" is missing. I=20
don't know for sure but this looks wrong to me. No example output of=20
klist I have ever seen when reading docs or googleing looked like this.=20
However, everything seems to be working fine, i.e. logging into the=20
website works without extra password prompts from the browser, as=20
expected.=20

Any ideas what, if anything, is the problem here?

Thanks,=20

Andreas

--nextPart1798037.jSJdF9ILW1
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAk0K7qkACgkQOXziqAkMqbQajACgw4tsO6bfInnRGDTKayp8jvTU
ehcAnjyuItsOy4WSB55o/qlVBT0bOa6J
=YmJd
-----END PGP SIGNATURE-----

--nextPart1798037.jSJdF9ILW1--
0
daff2865 (15)
12/17/2010 5:01:28 AM
comp.protocols.kerberos 5500 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
385 Views

Similar Articles

[PageSpeed] 42

Reply:

Similar Artilces:

Trouble with service principal missing its realm
I'm having a strange issue that is proving very troublesome to diagnose, and I've been unable to reproduce it on another network. We're working toward rolling-out Kerberos and OpenLDAP on our staging and production networks shortly, but are having a strange issue that is likely simple to solve, but still eludes us. In short, our service principals look like this after trying to do an ldapwhoami or other such operations, and incidentally maybe the cause of an issue with mod_auth_kerb as well (though I won't stray into that right now): staging [richm@mail ~]$ klist Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: joe@STAGING.WG Valid starting Expires Service principal 11/27/08 02:11:09 11/28/08 02:10:41 krbtgt/STAGING.WG@STAGING.WG 11/27/08 02:11:57 11/28/08 02:10:41 ldap/db.wg@ The missing @STAGING.WG seems to be causing issues with GSSAPI and LDAP as they are (rightly, I believe) returning an error 144 (wrong principal in request). I'm fairly sure that this is a configuration issue or course, and not really sure how I'm getting a service principal like this in the first place. Here's our krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = STAGING.WG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] STAGING.WG = { kdc = d...

Kerberos auth against AD, keytabs, and service principal names
I've been able to use ktpass.exe on the Windows (2003R2) side to create working keytabs for my NFSv4 environment. I'd like to have both host/ and nfs/ service principal names for each host.fqdn in my (DNS) domain. To this end I ran 'setspn -A ...' to create a SPN for host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a keytab for each of host/host.fqdn and nfs/host.fqdn. Then I copied the keytabs to my Linux system and tested kinit for host/host.fqdn and nfs/host.fqdn. kinit for nfs/host.fqdn worked but kinit for host/host.fqdn *failed*. What?! Looking at my entries in AD, it appears that ktpass.exe sets both userprincipal name and serviceprincipal name to *the same thing* and merely adding SPNs to the host.fqdn entry in AD doesn't fix the problem with kinit -- if princ/host.fqdn doesn't exist in AD as a UPN. That is to say, only UPNs are consulted when I kinit some princ/host.fqdn? Is my assessment right about this? Is the only solution to have multiple AD entries, one for each SPN you intend to support? -- K ...

Kerberos service principal canonicalization
Hi, is there a way with MIT kerberos to create an "alias" for e.g. service/myhost.priv.@REALM (mind the trailing dot in the SPN) to service/myhost.priv@REALM (without dot), so that a request (with canonicalization flag set) for the former principal returns a ticket for the latter? Best regards, Lorenzo Costanzia ...

OID for Kerberos Principal Name
Hi, I am attempting to get pkinit working. I am using my own custom CA to generate the certs and I am having a little trouble generating a correct Subject Alternative Name (SAN) in my certs. I have been able to generate a cert with a Microsoft Universal Principal Name OID: 1.3.6.1.4.1.311.20.2.3 However when I use this cert the kdc says 'unrecognized othername oid in SAN' Can anyone tell me what the correct OID that I should be using is so that I don't get a 'client name mismatch' error? This is for MIT kerberos. Thanks, Bram Cymet   ...

[rfc-dist] RFC 5179 on Generic Security Service Application Program Interface (GSS-API) Domain-Based Service Names Mapping for the Kerberos V GSS Mechanism
A new Request for Comments is now available in online RFC libraries. RFC 5179 Title: Generic Security Service Application Program Interface (GSS-API) Domain-Based Service Names Mapping for the Kerberos V GSS Mechanism Author: N. Williams Status: Standards Track Date: May 2008 Mailbox: Nicolas.Williams@sun.com Pages: 5 Characters: 8017 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-kitten-krb5-gssapi-domain-based-names-05.txt URL: http://www.rfc-editor.org/rfc/rfc5179.txt This document describes the mapping of Generic Security Service Application Program Interface (GSS-API) domain-name-based service principal names onto Kerberos V principal names. [STANDARDS TRACK] This document is a product of the Kitten (GSS-API Next Generation) Working Group of the IETF. This is now a Proposed Standard Protocol. STANDARDS TRACK: This document specifies an Internet standards track protocol for the Internet community,and requests discussion and suggestions for improvements. Please refer to the current edition of the Internet Official Protocol Standards (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. This announcement is sent to the IETF list and the RFC-DIST list. Requests to be added to or deleted from t...

Service Principal Names (SPNs) on Windows
When I read lately about setspn on w2k/w2k3 I noticed that the SPN can be service/host:port (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/name_formats_for_unique_spns.asp) with a comment that :port can be used to differentiate between multiple instances of the same service class. Does anybody know if this is only for non-Kerberos use ? If not how does it work with Kerberos ? Can I have two webservers on the same host listening on port 80 and 81with two different SPNs (e.g. HTTP/host and HTTP/host:81) ? I saw the port being used for SPNs in SQL setups too. Thanks Markus ...

Is a Kerberos principal always a DNS name?
Colleagues, Is a Kerberos principal always a DNS name? Can't an IP literal be used? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ In article <fupovd$25qp$1@relay.tomsk.ru>, Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> wrote: >Colleagues, > >Is a Kerberos principal always a DNS name? Can't an IP literal be used? > It's whatever both sides of the connection argee that it should be BEFORE the connection is made. DNS names are used by default since that makes an easy out of band way to get both sides to agree. You can use IP addrs if you can wrangle both client and server software into using them. I'm not aware of any standard clients that will support that kind of usage though. _ Booker C. Bense Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> writes: > Is a Kerberos principal always a DNS name? Can't an IP literal be used? A Kerberos principal can be close to anything. However, most software that uses Kerberos will only try to use principals based on DNS names for connecting to services unless it has an option to explicitly force the principal name. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/> Victor Sudakov wrote: > Colleagues, > > Is a Kerberos principal always a DNS name? Can't an IP literal be used? I think they must be names, but don't have to be in DNS. The name could be in /etc/hosts. The client and...

Regarding unicode principal names support for kerberos
Hi All, Does MIT kerberos 1.12.1 supports unicode principal names? Thanks and Regards, Abhijit Deokar ...

Concealing user principal names for realm crossover
--Apple-Mail=_3558CAD4-3193-46CD-9A83-43DFB844C0E1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello, I=E2=80=99ve been looking for ways of concealing principal names with = Kerberos. I think this is of interest in relation to Internet-wide realm crossover with = Kerberos. The only way I found are the anonymity mechanisms of RFC 6112, but that provides = too little information to the service to support any form of access control; it = would be more useful to have an intermediate level of concealment, based on = pseudonyms, roles a...

Terminal Services service missing
Hello - I have a Windows 2000 server with (I believe) the latest patches and service packs. It has mysteriously lost its ability to accept remote desktop/terminal services connections. I went to the datacenter where it is hosted today, and took a look at it. Rebooted - no go. Uninstalled TS, rebooted, reinstalled TS, rebooted - no go. In each case, even connecting to localhost with the TS client fails. Finally I compared the Services list with that from a working Win2K Server, which was built at the same time as this one. The working system has a service called Terminal Services; the busted s...

Terminal Services service missing
Hello - I have a Windows 2000 server with (I believe) the latest patches and service packs. It has mysteriously lost its ability to accept remote desktop/terminal services connections. I went to the datacenter where it is hosted today, and took a look at it. Rebooted - no go. Uninstalled TS, rebooted, reinstalled TS, rebooted - no go. In each case, even connecting to localhost with the TS client fails. Finally I compared the Services list with that from a working Win2K Server, which was built at the same time as this one. The working system has a service called Terminal Services; the busted s...

kerberos AD: keytab and service principal not needed?
Hi, I've set up our AIX 5.2 and 5. 3 hosts to authenticate users to Active Directory following IBM's procedures. The setup procedure on the AIX side involves: 1) Running the AIX kerberos configuration which creates the krb5.conf and krb5_cfg_type in /etc/krb5 2) Editing /usr/lib/security/methods.cfg to add the KRB entries. On the Windows side: 1) Create Windows account with ktpass with a service principal in the form host/hostname.domain.com@REALM.NET. This also creates the keytab file, which you then copy to the AIX host as /etc/krb5/krb5.keytab Then change the AIX users's reg...

RE: Service Principal Names (SPNs) on Windows
It depends on the application requesting the ticket. With the case of HTTP and IE, the answer is no because IE doesn't append the port number when building the SPN. YMMV with another browser. Jonathan Stephens, MCSE MCSA Microsoft Corporation Escalation Engineer, Critical Problem Resolution (CPR) * iNet: jonsteph@microsoft.com * Wk: 980-776-8053 -----Original Message----- From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On Behalf Of Markus Moeller Sent: Saturday, August 06, 2005 2:38 PM To: kerberos@MIT.EDU Subject: Service Principal Names (SPNs) on Windows When I read lately about setspn on w2k/w2k3 I noticed that the SPN can be service/host:port (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/ name_formats_for_unique_spns.asp) with a comment that :port can be used to differentiate between multiple instances of the same service class. Does anybody know if this is only for non-Kerberos use ? If not how does it work with Kerberos ? Can I have two webservers on the same host listening on port 80 and 81with two different SPNs (e.g. HTTP/host and HTTP/host:81) ? I saw the port being used for SPNs in SQL setups too. Thanks Markus ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Questions on kerberos (principal, service, renew command)
Hi all, I have the following questions by looking at the kerberos packets (Windows login) through ethereal: 1. There are several service names, such as host, ldap, LDAP, cifs, etc What is the difference between ldap and LDAP? What does service, host, do? 2. There are some TGS-REP with principal name, hostname$. What does this mean? 3. After a TGS-REQ renew request (KDCOption == 0x02), then a TGS-REP with kbrtgt. Then there is always another TGS-REQ and TGS-REP for kbrtgt service. Why is that? Many thanks Joe ...

confusion with service principal names in Active Directory
Please forgive me if this is not the right venue. I seem to have not found the magic required to use kerberos service principal names on unix systems against an Active Directory server. In the one particular example, we're trying to use kerberized NFS, so the server daemon needs to be able to find nfs/fqdn@REALM. I can see the entries in the computer accounts servicePrincipalName field, but the various UNIX systems can't find them -- either on service initialization, or attempting kinit from commandline with the system keytab. IE: klist -ke /etc/krb5.keytab | grep host 2 host/kernelpanic.example.com@EXAMPLE.REALM (DES cbc mode with CRC-32) [root@kernelpanic ~]# kinit host/kernelpanic.example.com -kt /etc/krb5.keytab kinit(v5): Client not found in Kerberos database while getting initial credentials (same results if I do host/kernelpanic.example.com@EXAMPLE.REALM) This behavior holds true for OS X kerberos clients, Red Hat 4 and 5 kerberos clients, and Solaris 10 kerberos clients. I can provide the versions if required. The AD server in question is Windows 2003 R2. The only way I've found around this is to set the userPrincipalName in AD to the service I really really need. ie: in the case above, userPrincipalName is set to nfs/kernelpanic.example.com@EXAMPLE.REALM. After doing that, I can kinit that service principal successfully, and the service dependent on it can also initialize correctly. >From my testing, using ktpass.exe to write a keytab fil...

List of services from naming service
Hi, I want to know if it is possible to get a list of registered services from the naming service, and how to do it in C++ John "Johan" <me@knoware.nl> wrote in message news:10s62c7pndd3m61@corp.supernews.com... > Hi, > > I want to know if it is possible to get a list of registered services from > the naming service, and how to do it in C++ There is no list of "registered services" as such. All there is is a bunch of named object references. In principle, the naming service is much a like a file system, except that, instead of file...

Is there a list of characters allowed to define a principal name and realm?
Hola.. I'm defining some documentation of this two terms (principal name and realm). And I'm wondering if there is any special characters allowed to define a principal name and realm name ? I know that the valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9). but I need to know if there are more special characters that need to be considered. Thanks in advance. * Carpe diem Julio Cesar Parra Uribe IBMMX(JCPARRA) E-mail: jcparra@mx1.ibm.com T/L 877-2535 Ext phone: (5233)3669-7000 Ext. 2535 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos On Jun 27, 2006, at 18:01, Julio Cesar Parra/Mexico/IBM wrote: > Hola.. > > I'm defining some documentation of this two terms (principal name and > realm). And I'm wondering if there is any special characters > allowed to > define a principal name and realm name ? Oh, what a fun question, one we've had problems with before. The first two answers I heard people here tossing around when your email came in were: "You don't want to know." "Z, 4, Q, Q, Q, and the batman symbol" More seriously: Some early implementations just used whatever byte values they were passed, making it implementation- and locale-dependent, resulting in interoperability issues. For portability, I think the right answer is "if you...

Kerberos - Squid - Server SPN
Dear Users, i just setup kerberos with squid to authenticate proxy-users against windows 2008 Servers AD. I added a user to the AD and set a SPN of HTTP/proxyserver.domain.com for it. If i now try to access a webpage through squid from the DC-machine itself - klist shows: #1> Client: sbauer @ DOMAIN.COM Server: HTTP/proxyserver.domain.com @ DOMAIN.COM and it works. For unknown reasons and here i really appreciate your knowledge on any other clients the klist output looks like ... #1> Client: sbauer @ DOMAIN.COM Server: proxyuser @ DOMAIN.COM and it does not work! The user in AD is called proxyuser where the SPN also belongs to. Ideas? thanks in advance! -- Stefan Bauer ----------------------------------------- PGP: 36D1 1570 DCAD B767 EABE F60D 6BCA 7AD4 79EB C4EC -------- plzk.de - Linux - because it works ---------- ...

Getting two service principals, one of them with an empty realm
Hi, I am strangely getting two service principals for every service I use and one of them has an empty realm. Below is a sample output. $ klist Ticket cache: FILE:/tmp/krb5cc_1001_Xc3DVv Default principal: xxxxxx@SYNOVEL.COM Valid starting Expires Service principal 06/02/10 11:45:07 06/02/10 21:45:07 krbtgt/SYNOVEL.COM@SYNOVEL.COM renew until 06/03/10 11:44:57 06/02/10 11:45:27 06/02/10 21:45:07 imap/scs.synovel.com@ renew until 06/03/10 11:44:57 06/02/10 11:45:27 06/02/10 21:45:07 imap/scs.synovel.com@SYNOVEL.COM renew until 06/03/10 11:44:57 Kerberos 4 ticket cache: /tmp/tkt1001 klist: You have no tickets cached The hostname to realm mapping and realm kdc details are obtained completely through DNS (using TXT and SRV records). Any help in this regard would be appreciated. Regards, Rahul. ...

Allow change of kerberos service name without recompilation
--=-=-= Hi This is a two part patch against 7.4.5 implementing the option of configuring what is now set using the #defined constant PG_KRB_SRVNAM (the name of the service part of the kerberos principal the server uses). On the backend it can be configured by the (new) string option krb_srvnam in postgresql.conf. On the client it can be configured by setting the environment variable PGKRBSRVNAM. The default setting (for both) is the value given by PG_KRB_SRVNAM mentioned above. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=postgresq...

service principals in AD fro unix kerberos clients
(I apologize if this has already been posted, I am new to this list) Hi, What is the trick to getting services to work via kerberos? I have been playing around with trying to use kerberos as a SSO for our environment, but am a bit confused. To date: I have installed and configured MS SFU 3.5 (services for Unix) on our AD, extended the schema. I have an HP-UX 11.11 machine in which I have setup the LDAP client to talk to the AD via kerberos. I can successfully search the AD and can login with windows credentials via a keytab created for the host. The telnet service in HP-UX is kerberos awa...

SPNEGO auth with service principal in other realm work with IE and not with Firefox
Hi to all I have an authentication infrastructure with Windows 2003 AD (realm XXX.EXAMPLE.COM) and clients with windows XPSP3 (XXX.EXAMPLE.COM dns domain). I have a web server web1.YYY.EXAMPLE.COM (YYY.EXAMPLE.COM is also an AD domain in the same forest with a cross trust kerberos auth with XXX.EXAMPLE.COM) . It 'was created on the KDC of XXX.EXAMPLE.COM the HTTP/web1.YYY.EXAMPLE.COM @ XXX.EXAMPLE.COM server principal and it was correctly configured the web server for doing SPNEGO HTTP authentication. Now this works transparently from the clients with IE and not firefox. I have successfully configured firefox in about: config but although the web server requires the authentication type Negotiate firefox does nothing. The question is, but this configuration is supposed to work by Kerberos, I thought not, but I can not explain why it to work in IE if this is true. I have searched but no avail. Thanks in advance for your help ...

what all does instance include in user principal name - username/instance@REALM
Hi, I have been using user principal name as - usr1@REALM , usr1/host@REALM, usr1/admin@REALM. In general, I understand that instance is the host name . What all does instance include here in user principal name ?. Any link to more information will be very helpful. Thanks, Priya ...

How can I prevent a user principal from accessing a kerberoized service/host?
I use MIT Kerberos 5 & OpenLDAP to manage my network users. I can login successfully to all machines using my Kerberos principal. I need to create a limited account that is able to access only a few hosts/services not all machines/services. How can I do this? Thank you Amir _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us In article <mailman.2.1195976449.11331.kerberos@mit.edu>, Amir Saad <eng__amir@hotmail.com> wrote: >I use MIT Kerberos 5 & OpenLDAP to manage my network users. I can login >successfully to all machines using my Kerberos principal. I need to >create a limited account that is able to access only a few >hosts/services not all machines/services. How can I do this? You use whatever access-control mechanisms are provided by those services. Kerberos is an authentication protocol, not an authorization service. -GAWollman -- Garrett A. Wollman | The real tragedy of human existence is not that we are wollman@csail.mit.edu| nasty by nature, but that a cruel structural asymmetry Opinions not those | grants to rare events of meanness such power to shape of MIT or CSAIL. | our history. - S.J. Gould, Ten Thousand Acts of Kindness ...