Strange klist output, missing realm in service principal name

  • Permalink
  • submit to reddit
  • Email
  • Follow


--nextPart1798037.jSJdF9ILW1
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi all,=20

I am wondering what (if anything) is wrong with the following output=20
from klist. This is after authenticating against a kerberized Apache=20
server with Firefox and negotiation enabled:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: daff@EXAMPLE.COM

Valid starting     Expires            Service principal
12/17/10 05:47:13  12/17/10 15:47:13  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 12/18/10 05:50:05
12/17/10 05:47:45  12/17/10 15:47:13  HTTP/dev.example.com@
        renew until 12/18/10 05:50:05
12/17/10 05:47:45  12/17/10 15:47:13  HTTP/dev.example.com@EXAMPLE.COM
        renew until 12/18/10 05:50:05

Notice the first HTTP entry, the realm part after the "@" is missing. I=20
don't know for sure but this looks wrong to me. No example output of=20
klist I have ever seen when reading docs or googleing looked like this.=20
However, everything seems to be working fine, i.e. logging into the=20
website works without extra password prompts from the browser, as=20
expected.=20

Any ideas what, if anything, is the problem here?

Thanks,=20

Andreas

--nextPart1798037.jSJdF9ILW1
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEABECAAYFAk0K7qkACgkQOXziqAkMqbQajACgw4tsO6bfInnRGDTKayp8jvTU
ehcAnjyuItsOy4WSB55o/qlVBT0bOa6J
=YmJd
-----END PGP SIGNATURE-----

--nextPart1798037.jSJdF9ILW1--
0
Reply daff2865 (15) 12/17/2010 5:01:28 AM

See related articles to this posting

comp.protocols.kerberos 5382 articles. 1 followers. Post

0 Replies
52 Views

Similar Articles

[PageSpeed] 35


Reply:

Similar Artilces:

Trouble with service principal missing its realm
I'm having a strange issue that is proving very troublesome to diagnose, and I've been unable to reproduce it on another network. We're working toward rolling-out Kerberos and OpenLDAP on our staging and production networks shortly, but are having a strange issue that is likely simple to solve, but still eludes us. In short, our service principals look like this after trying to do an ldapwhoami or other such operations, and incidentally maybe the cause of an issue with mod_auth_kerb as well (though I won't stray into that right now): staging [richm@mail ~]$ klis...

Service Principal Names (SPNs) on Windows
When I read lately about setspn on w2k/w2k3 I noticed that the SPN can be service/host:port (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/name_formats_for_unique_spns.asp) with a comment that :port can be used to differentiate between multiple instances of the same service class. Does anybody know if this is only for non-Kerberos use ? If not how does it work with Kerberos ? Can I have two webservers on the same host listening on port 80 and 81with two different SPNs (e.g. HTTP/host and HTTP/host:81) ? I saw the port being used for SPNs in SQL setups too. Than...

confusion with service principal names in Active Directory
Please forgive me if this is not the right venue. I seem to have not found the magic required to use kerberos service principal names on unix systems against an Active Directory server. In the one particular example, we're trying to use kerberized NFS, so the server daemon needs to be able to find nfs/fqdn@REALM. I can see the entries in the computer accounts servicePrincipalName field, but the various UNIX systems can't find them -- either on service initialization, or attempting kinit from commandline with the system keytab. IE: klist -ke /etc/krb5.keytab | grep host 2 host/ke...

RE: Service Principal Names (SPNs) on Windows
It depends on the application requesting the ticket. With the case of HTTP and IE, the answer is no because IE doesn't append the port number when building the SPN. YMMV with another browser. Jonathan Stephens, MCSE MCSA Microsoft Corporation Escalation Engineer, Critical Problem Resolution (CPR) * iNet: jonsteph@microsoft.com * Wk: 980-776-8053 -----Original Message----- From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On Behalf Of Markus Moeller Sent: Saturday, August 06, 2005 2:38 PM To: kerberos@MIT.EDU Subject: Service Principal Names (SPNs) on Windows When I read l...

Kerberos auth against AD, keytabs, and service principal names
I've been able to use ktpass.exe on the Windows (2003R2) side to create working keytabs for my NFSv4 environment. I'd like to have both host/ and nfs/ service principal names for each host.fqdn in my (DNS) domain. To this end I ran 'setspn -A ...' to create a SPN for host/host.fqdn and nfs/host.fqdn and then I ran ktpass.exe to create a keytab for each of host/host.fqdn and nfs/host.fqdn. Then I copied the keytabs to my Linux system and tested kinit for host/host.fqdn and nfs/host.fqdn. kinit for nfs/host.fqdn worked but kinit for host/host.fqdn *failed*. What?! Looking ...

Getting two service principals, one of them with an empty realm
Hi, I am strangely getting two service principals for every service I use and one of them has an empty realm. Below is a sample output. $ klist Ticket cache: FILE:/tmp/krb5cc_1001_Xc3DVv Default principal: xxxxxx@SYNOVEL.COM Valid starting Expires Service principal 06/02/10 11:45:07 06/02/10 21:45:07 krbtgt/SYNOVEL.COM@SYNOVEL.COM renew until 06/03/10 11:44:57 06/02/10 11:45:27 06/02/10 21:45:07 imap/scs.synovel.com@ renew until 06/03/10 11:44:57 06/02/10 11:45:27 06/02/10 21:45:07 imap/scs.synovel.com@SYNOVEL.COM renew until 06/03/10 11:44:57 Kerberos ...

Is there a list of characters allowed to define a principal name and realm?
Hola.. I'm defining some documentation of this two terms (principal name and realm). And I'm wondering if there is any special characters allowed to define a principal name and realm name ? I know that the valid characters are case sensitive and include all alpha-numeric characters (a-z, A-Z, 0-9). but I need to know if there are more special characters that need to be considered. Thanks in advance. * Carpe diem Julio Cesar Parra Uribe IBMMX(JCPARRA) E-mail: jcparra@mx1.ibm.com T/L 877-2535 Ext phone: (5233)3669-7000 Ext. 2535 ____________________________________...

what all does instance include in user principal name - username/instance@REALM
Hi, I have been using user principal name as - usr1@REALM , usr1/host@REALM, usr1/admin@REALM. In general, I understand that instance is the host name . What all does instance include here in user principal name ?. Any link to more information will be very helpful. Thanks, Priya ...

SPNEGO auth with service principal in other realm work with IE and not with Firefox
Hi to all I have an authentication infrastructure with Windows 2003 AD (realm XXX.EXAMPLE.COM) and clients with windows XPSP3 (XXX.EXAMPLE.COM dns domain). I have a web server web1.YYY.EXAMPLE.COM (YYY.EXAMPLE.COM is also an AD domain in the same forest with a cross trust kerberos auth with XXX.EXAMPLE.COM) . It 'was created on the KDC of XXX.EXAMPLE.COM the HTTP/web1.YYY.EXAMPLE.COM @ XXX.EXAMPLE.COM server principal and it was correctly configured the web server for doing SPNEGO HTTP authentication. Now this works transparently from the clients with IE and not firefox. I have succes...

Certain data missing from Web service output in LV8.5.1
I just installed Labview 8.5.1 and thereby got rid of a problem where the Import Web Service Wizard hung. However, a new problem appeared. The XML output of my web service call does not contain the actual result values. When I call the web service using SOAPUI from <a href="http://www.soapui.org/" target="_blank"> http://www.soapui.org/</a>, I can see the actual result values&nbsp;in a section of the XML output called diffgr:diffgram. When I inspect the Labview XML output, the whole diffgram section is missing! Se attachments. Any help appreciated! &nb...

<Naming Service> Output of CosNaming::NamingContext::bind() method
----------------------------------------------------- "Naming Service Specification, Version 1.3" http://www.omg.org/docs/formal/04-10-03.pdf ----------------------------------------------------- module CosNaming { // Stuff interface NamingContext { // Stuff void bind(in Name n, in Object obj) raises( NotFound, CannotProceed, InvalidName, AlreadyBound); // Stuff } // Stuff } The CosNaming::NamingContext::bind() method has two _input_ parameters. What is output of that method? -- Alex Vinokur email: alex DOT vinokur AT gmail DOT ...

principal for ftp service ---> Can I use anything other than ftp/fqdn@REALM ?
Hi all, I have a query regarding the usage of the kerberos pricipals of the format "<service>/<FQDN>@<REALM>". My question is can I use any other principal format other than <service>/<FQDN>@<REALM> ? The <service>/<FQDN>@<REALM> is the common convention used. Giving an example, say for example, I am using a kerborized ftp application. As of now, the keytab entries , the service entry on KDC are having the ftp principal of the foramt, ftp/fqdn@REALM. I am able to successfully do ftp connection using kerberos. My requirement is ...

Javax.naming Exception: name not found in naming service.
Hi, I am working on Message Center through this user can send massage to their classmats. one exception occurred when user clicks on "TO" to select the recipient name. Proper Excpetion is: "Error Message nested Exception is: Javax.naming.name not found Exception:[Java:comp/env/mme010] not bound in naming service." Plz share your view, how can i rectify this problem. Thanks & Regards Harman Harman wrote: > Hi, > > I am working on Message Center through this user can send massage to > their classmats. one exception occurred when user clicks on "TO&q...

Terminal Services service missing
Hello - I have a Windows 2000 server with (I believe) the latest patches and service packs. It has mysteriously lost its ability to accept remote desktop/terminal services connections. I went to the datacenter where it is hosted today, and took a look at it. Rebooted - no go. Uninstalled TS, rebooted, reinstalled TS, rebooted - no go. In each case, even connecting to localhost with the TS client fails. Finally I compared the Services list with that from a working Win2K Server, which was built at the same time as this one. The working system has a service called Terminal Services; the busted s...

List of services from naming service
Hi, I want to know if it is possible to get a list of registered services from the naming service, and how to do it in C++ John "Johan" <me@knoware.nl> wrote in message news:10s62c7pndd3m61@corp.supernews.com... > Hi, > > I want to know if it is possible to get a list of registered services from > the naming service, and how to do it in C++ There is no list of "registered services" as such. All there is is a bunch of named object references. In principle, the naming service is much a like a file system, except that, instead of file...

Terminal Services service missing
Hello - I have a Windows 2000 server with (I believe) the latest patches and service packs. It has mysteriously lost its ability to accept remote desktop/terminal services connections. I went to the datacenter where it is hosted today, and took a look at it. Rebooted - no go. Uninstalled TS, rebooted, reinstalled TS, rebooted - no go. In each case, even connecting to localhost with the TS client fails. Finally I compared the Services list with that from a working Win2K Server, which was built at the same time as this one. The working system has a service called Terminal Services; the busted s...

[rfc-dist] RFC 5178 on Generic Security Service Application Program Interface (GSS-API) Internationalization and Domain-Based Service Names and Name Type
A new Request for Comments is now available in online RFC libraries. RFC 5178 Title: Generic Security Service Application Program Interface (GSS-API) Internationalization and Domain-Based Service Names and Name Type Author: N. Williams, A. Melnikov Status: Standards Track Date: May 2008 Mailbox: Nicolas.Williams@sun.com, Alexey.Melnikov@isode.com Pages: 9 Characters: 17262 Updates/Obso...

Service number -> Service name
Is there a SWI that returns the name associated with a service number ? Lenny. On 9 Oct 2003 Lenny <lenny@argonet.co.uk> wrote: > Is there a SWI that returns the name associated with a service number ? No, services are only every delt with by numbers in the OS (unlike SWIs), so you'd have to roll your own from the documentation. My !SERVstat has a large list of known services (as of RISC OS 4, now out of date), and displays unknown ones numerically. A module providing name lookups for services and and many other RISC OS majic numbers would be useful - any takers? ---druck ...

command names and output stream names as parameters
I have a program that makes several kinds of endnotes, opening output streams for each of them which receive the notes as they are generated, then closing the stream and reading them back in at the point where I wish the notes to be printed. I'd like to write a macro so that users can create new kinds of endnotes. The macro will 1. create a new \if (to control whether this kind of note is to be printed or not, so that they can be in the source but not in the output, in case, say, the publisher balks at including that kind of note). I want the user just to be able to give the name to the if...

List of services with "Naming service"
Hello all, Is there any function in "TAO_Naming_Server". which will return all the names of the services registered with it. Regards Sofia A reference from C++ advanced programming guide with CORBA... shows this example StringCollection_var sc = ...; // Get reference... StringList_var sl; StringIterator_var it; sl = sc->list(it); // Get first batch CORBA::ULong i; for (i = 0; i < sl->length(); i++) // Show first batch cout < sl[i] < endl; if (!CORBA::is_nil(it)) { // More to come? do { ...

service command returns unrecognized service name
Hello, I've got an rh9 box. I've installed icecast2 on it and i want to start it via init.d startup. I've created a startup script for it which is working fine with two exceptions. Firstly, sometimes when i run the script with the stop parameter i am getting: libgcc_s.so.1 is required for pthread_cancel i have no idea what this means. And secondly i did: chkconfig --add icecast after verifying that start, stop, restart, and status worked as expected. This command returned without errors, and: chkconfig --list |grep icecast showed icecast in the list. The...

NT Service: retrieve my service name from SCM?
I have a service that I will need to run multiple times on the same machine, but with different configurations. The convention seems to be to put the configuration ender a "parameters" subkey of the service key under HKLM\SYSTEM\CurrentControlSet\Services, ie for service FRED there would be a HKLM\SYSTEM\CurrentControlSet\Services\FRED\paramneters key. The problem I have is getting to that parameters key because it doesn't appear that the SCM ever passes the name that the service was started as to the service itself. For instance, I could have a service in charles.e...

output file name based on original file name
I have a simple txt parsing script that I'd like to have the output be named after the original text file. original = original.txt output = original_output.txt I'm just doing a simple file.open, and couldn't find anything. File.open('output.txt', 'w') do |f2| File.readlines("original.txt").each do |line| Thanks in advance for any help. -- Posted via http://www.ruby-forum.com/. Collin Moore wrote: > I have a simple txt parsing script that I'd like to have the output be > named after the original text file. > > original = original.tx...

ktpass with principal name different than domain controller name
Hi, I am trying to do the following: ktpass -princ HTTP/user.domain.com@DOMAIN.COM mapuser user -pass password01. The command is run on a domain controller with a different domain than what is specified in the service name, e.g. DOMAIN2.COM. Is this possible? Many thanks, Celia ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...