f



Variable kdc on kerberos.

Hi All, is there a way to set a variable, instead of a constant on the
kerberos config file under the kdc option?
I've a lot of Active Directory on my network, so if I want contact the
closer one I've to use variables to retrieve informations of our local Dns.

Many thanks
0
6/17/2010 4:48:39 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
451 Views

Similar Articles

[PageSpeed] 28

Reply:

Similar Artilces:

MIT Kerberos KDC & W2K Client: Changing expired password issueMIT Kerberos KDC & W2K Client: Changing expired password issue
Hi, I also experienced the same problem as William G.Zereneh (http://mailman.mit.edu/pipermail/kerberos/2004-May/005341.html). I'm able to change the password using ctrl-alt-del, but when the password is expired and windows asks me to change the password, I encountered "Domain MIT.REALM.COM is not available" error. As I sniff the packet, it noticed that it sent a CLDAP query message with filter: (&(DnsDomain = MIT.REALM.COM)(Host = myhostname)(NtVer=\006) which is returned NULL by my _ldap._tcp.dc._msdcs.REALM.MIT.COM How to resolve this problem ? maybe there's a missin...

Help on Unix kerberos client->win2k3 kerberos KDC
Hello, I am a newbie to kerberos authentication, and what I am trying to do is to use a Unix ldap client authenticate to the win2k3 server, and add a user to it. The way I tried to do is by following MIT's tutorial and sample code under www.mit.edu/afs/athena/astaff/project/ ldap/AD99/kerberossamp.txt. and I configured the Unix machine based on Microsoft tutorial http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp =========> I can successfully import a tgt from win2k3 KDC server by running kinit, here is the result: $ kdestroy $ kinitPassword for mw...

Kerberos KDC
Hello All, I am trying to set up a Kerberos 5 KDC on my servers. I run Windows IIS 6.0 and our management does not want to use Kerberos through AD. I was wondering if anyone could help me on where to start. Thanks in advance ...

FTP and Kerberos
Hi, I get the following Kerberos related error when i do FTP from another machine(redhat 9.0) to my machine(redhat 9.0). How to solve this problem ? Should i Need to start/stop some daemons ? here is what happens when i do FTP !!! --------->>>>>>>>> Here is it .....>>>> Connected to 107.108.89.173. 220 localhost.localdomain FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: No credentials cache found GSSAPI error: in...

migration from Kerberos 4 to Kerberos 5
Hello, I have a few questions about migration to a new Kerberos version. In fact, the goal is to migrate a network with Kerberos 4 to the Kerberos 5(under Lin8x): 1) Do I have to reinstall Kerberos from the scratch or are there packages that allow to update the version? 2) What about the users that I created, are they still valid or will user information be lost. Part of the network uses already an LDAP directory, do I suppose this will not be a problem for this part, but in general, how can I migrate my user-accounts to the new version? 3) What about the clients, do I have to re-install the Kerberos-client on each workstation or can I use the "old" Kerberos clients? Could anybody answer my questions and perhaps give me some good hints for the migration respectively point me to some good documents? Thanx, CB ...

MIT Kerberos and Solaris 10 Kerberos
Greetings, everyone. We run a number of Solaris 8 systems using Sun's SEAM PAM implementation and MIT's Kerberos (which we're up to date on). We are starting to look at Solaris 10, and are hoping to move towards Sun's implementation of Kerberos. We are having a bit of trouble getting the two to talk properly, however. If we SSH (from production to test, for example) to a Solaris 8 machine, then we can rlogin (Kerberized) to the Solaris 10 machine and, from there, rlogin to a Sol8 machine again. If, however, we SSH directly to the Solaris 10 machine, we cannot rlogin to a Solaris 8 machine. Doing various experiments (for example, trying to ksu on the Sol 10 machine), the only error we ever get is: ksu WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for ux5p@ATCOTEST.CA: : ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. Doing an rlogin to a Sol 8 machine gives no errors at all; it just quietly fails. The above error seems to indicate that the Solaris 10 Kerberos isn't passing the tickets to the Sol 8/MIT Kerberos servers (which, based upon certain differences, would not be a big surprise). Has anyone gotten this to work? The Sol 10 system is using the default Solaris 10 PAM implementation as well; not sure if this is part of the problem, but the configuration files are significantly different. Th...

Solaris 10 Kerberos KDC ignores settings in kdc.conf
I've configured Sun's Kerberos on a solaris 10 box. Everything seams to work straight, creating database, creating principles etc.. But the KDC ignores quite a few options in kdc.conf file, including: max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +forwardable Not matter how I set these options, I _always_ get these for principles: Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Attributes: It seams Sun has some defaults set and are unchangeable. The gkadmin GUI utility shows the two life period exactly as the above number. If you change and save the changes, next time you run gkadmin, the old values come back. Has anyone seen the same behavior? And how to fix it? MIT Kerberos works fine, but to utilize Sun's PAM migration module for our existing user base (900 users), I need to run Sun's at least when we are migrating users. Applying Sun's Kerberos patch 120469-07 did not fix the problem. TIA, Qing Chang ...

question about MIT Kerberos KDC processing PROXY KDC requests
Hello, I understand that proxiable/proxy tickets are rarely used and the corresponding code in the MIT Kerberos implementation is not very well tested. However, I found two possibly buggy places in the KDC code, so I think this is worth asking about. I used the MIT Kerberos distribution and was able to make proxiable/ proxy tickets work, but had two make two changes in the KDC source code. I would like to ask if these are really bugs or not. We use the MIT Kerberos 1.6.3 release. Both suspicious places are in kdc/ kdc_util.c, validate_tgs_request(): 1. line 1144: if (request->kdc_options & NO_TGT_OPTION) { if (!krb5_principal_compare(kdc_context, ticket->server, request_server)) { *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC"; return(KDC_ERR_SERVER_NOMATCH); } } NOT_TGT_OPTION is defined as: #define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY | KDC_OPT_RENEW | KDC_OPT_VALIDATE) The KDC returns an error here if the server principal in the ticket does not match the one in the KDC request. I can see how this check is required for the "forwarded", "renew" and "validate" KDC requests. However, for a proxy ticket request, it seems that: - the ticket must be a TGT with ticket->server = krbtgt/R1@R2, for some R1 and R2 - the KDC request must have a server principal request->server = the target application server's Kerberos principal Should the #define NO_TGT_OPTI...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Replacing the system Kerberos with MIT Kerberos (from ports)
Is there a way to replace the Heimdal Kerberos libraries included in the FreeBSD base system with the MIT Kerberos libraries installed from the security/krb5 port? I know about the KRB5_HOME make option. I'm concerned about other "Kerberized" applications not working properly because they use the wrong client libraries, hence my desire to completely replace Heimdal with MIT Kerberos. The Heimdal Kerberos libraries shipped with the FreeBSD base system don't support TCP, so when a KDC replies to a client request with a response larger than the maximum UDP packet size, the Kerberos libraries return an error to the client instead of switching to TCP (which can handle large responses). I routinely encounter this problem when integrating FreeBSD servers and workstations into Windows Active Directory domains, where the KDC responses include additional authorization data derived from a security principal's group memberships: Samba's "net ads join" command fails with a "response too big for for UDP, retry with TCP" error when linked against Heimdal, but it succeeds (and everything else works properly) when linked against MIT Kerberos. (Note that I'm not willing to debate the semi-standard/non-standard inclusion of authorization data in a Kerberos ticket's PAC, nor am I willing to argue the applicability of the aforementioned operating systems to their assigned tasks.) Best wishes, Matthew ...

kerberos
Hi I have kerberos server setup, and it works fine with iseries navigator, I have to create a AS400 object now using Java and kerberos ticket, has any one done it successfully, does anyone have any code sample "polilop" <fmatosicSKINI@inet.hr> burped up warm pablum in news:fr3i5a$sn6$1@ss408.t-com.hr: > Hi > I have kerberos server setup, and it works fine with > iseries navigator, I have to create a AS400 object now > using Java and kerberos ticket, has any one done it > successfully, does anyone have any code sample You should read: http://publib.boulder...

Kerberos?
Who's using Kerberos authentication? Any pointers to procedure or documentation will be appreciated! Hi James, Not Me! But have a look at Doc 317141. That explains it in some more detail than the normal manual. Martin Bowes > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! > _______________________________________________ > Info-ingres mailing list > Info-ingres@cariboulake.com > http://mailman.cariboulake.com/mailman/listinfo.py/info-ingres > James Latimer wrote: > Who's using Kerberos authentication? Any pointers to procedure > or documentation will be appreciated! me neither, but this Chapter 13 may be of use: http://downloads.ingres.com/download/connect.pdf ...

kerberos?
Is anyone out there using kerberos authentication with their NonStop hosts? Between this and ssh, I am having trouble keeping up! Thanks in advance. ...

kerberos
Hi, I've seen a number of posts regarding similar issues, but none with answers.. maybe i'll be lucky... Trying to join a Linux samba box to a Win2k Domain via ADS.. Have used 'net join -U administrator%password' then get a list of errors about 20 lines long similar to this. "kerberos_knit_password fedora$@domain.com failed: Client not found in Kerberos database" But, it *does* join the domain and I can see and use the share.... Is there anything to worry about?? TIA, travelfurther.. ...

Kerberos
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: MIT Kerberos and Solaris 10 Kerberos
Greetings, and thanks for the response. > > We run a number of Solaris 8 systems using Sun's SEAM PAM > implementation > > and MIT's Kerberos (which we're up to date on). We are > starting to look > > at Solaris 10, and are hoping to move towards Sun's > implementation of > > Kerberos. We are having a bit of trouble getting the two to talk > > properly, however. > > I'm confused - you cannot use the Solaris pam_krb5 with MIT Kerberos. > It is linked directly with the Solaris Kerberos libraries (private). I am trying to get the Solaris Kerberos (SEAM) on the Sol 10 system to talk to the MIT Kerberos on the KDC and other Solaris 8/MIT systems. > Solaris 10 Kerberos interops very well with MIT, Heimdal, and > Microsoft. > It has support for all of the enctypes (AES, RC4, 3DES, DES) finally. But I can't seem to get it to work. > > If we SSH (from production to test, for example) to a > Solaris 8 machine, > > then we can rlogin (Kerberized) to the Solaris 10 machine and, from > > there, rlogin to a Sol8 machine again. If, however, we SSH > directly to > > the Solaris 10 machine, we cannot rlogin to a Solaris 8 > machine. Doing > > various experiments (for example, trying to ksu on the Sol > 10 machine), > > the only error we ever get is: > > > > ksu > > WARNING: Your password may be exposed if you enter it here and are &g...

Solaris 10 Kerberos KDC ignores settings in /etc/krb5/kdc.conf
Greeting, sorry if I sent this in twice. I've configured Sun's Kerberos on a solaris 10 box. Everything seams to work straight, creating database, creating principles etc.. But the KDC ignores quite a few options in kdc.conf file, including: max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +forwardable Not matter how I set these options, I _always_ get these for principles: Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Attributes: It seams Sun has some defaults set and are unchangeable. The gkadmin GUI utility shows the two life period exactly as the above number. If you change and save the changes, next time you run gkadmin, the old values come back. Has anyone seen the same behavior? And how to fix it? MIT Kerberos works fine, but to utilize Sun's PAM migration module for our existing user base (900 users), I need to run Sun's at least when we are migrating users. Applying Sun's Kerberos patch 120469-07 did not fix the problem. TIA, Qing Chang ...

Kerberos Administration Protocol
Hi, I'm looking for an open source Java implementation for the Kerberos administration protocol, for changing password, getprinc, delete_principal and so on. The main goals for kadmin, for the MIT implementation. Are there any libraries? If no, I would try to do an adHoc implementation. Are there documents? The only draft that I can see is http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 Thanks, Massimiliano > Date: Tue, 02 Jun 2009 15:28:32 +0200 > To: kerberos@mit.edu > From: "max@mascanc.net" <max@mascanc.net> > Subject: Kerberos Administration Protocol > > Hi, > > I'm looking for an open source Java implementation for the Kerberos > administration protocol, for changing password, getprinc, > delete_principal and so on. The main goals for kadmin, for > the MIT implementation. > > Are there any libraries? > > If no, I would try to do an adHoc implementation. Are there > documents? The only draft that I can see is > > http://tools.ietf.org/html/draft-ietf-cat-kerb-chg-password-00 > > Thanks, > > > Massimiliano As it happens, I do have something that might be the start at this. It could stand a bit more "polishing" before being released, and at the moment, it's not on our priority list. If this is something of interest to you, we should certainly talk. You won't be at afsbpw 2009, by any chance? What I have ...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Kerberos
Hello, I read on the ibm site that KRB5A authentication is only supported on 5.2. We are currently runnin 5.1 and have an MCA based machine so there is no chance in upgrading to 5.2. Is there an open-source kerberos package for AIX, and how would you go about installing it. Any help would be greatly appreciated. Rich ...

OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two actions can be accomplished by a separate process, which can be forked and execd by the sshd and passed the environment which may have a KREB5CCNAME pointing at the Kerberos ticket cache Other parameters ...

FW: MIT Kerberos and Solaris 10 Kerberos
Sorry, I accidentally sent this reply just to Wyllys. In the interest of keeping the thread complete, I'll put it to the list as well. R > That's because Solaris 10 'kadmin' uses RPCSEC_GSS and > MIT uses a slightly different RPC protocol. This is not a new > issue, its been a problem ever since we introduced SEAM. > > The solution is that if your KDC is MIT, then you must use the MIT > 'kadmin' client to manage it. OK, thanks. So, I'll have to keep the MIT binaries around as well... Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

RE: MIT Kerberos and Solaris 10 Kerberos #3
Thanks for the response. Please see inline... > In Solaris 10, all of the Kerberos services are already bundled, > there is no longer any external packages that need to be added. Right. > Whoever told you 'ksu' was part of the encryption kit was mistaken, > ksu has never been part of SEAM. OK, thanks for that clarification. It was a bit of a surprise to me when I was told it was there. So, does the Solaris 10 SEAM have any functionality similar to ksu, or just the standard su command? > The encryption kit for Solaris 10 enhances the overall crypto > capabilities of the system, the only benefit Kerberos gets is > that it can support AES-256 with the S10 encryption kit. > Without the S10 encryption kit, the strongest AES crypto > available for Kerberos in S10 is AES-128. And this fits more with what I understood, before my co-worker's comments. > On the S10 system, you must make sure to enable the "eklogin" service. > Run this command (as root): > > # svcadm enable eklogin Hmm. That may be a good part of my problem. I added the inetd.conf entry for the old (MIT) eklogin, and ran inetconv. So, this is probably really confusing the system. I'll try to revert that, and do the svcadm. > For Solaris 8 with the SEAM rlogin daemon, make sure your > inetd.conf entries > are correct. We don't actually run SEAM on any Sol8 systems; it's all MIT. > Don't bother with inetd.conf in S10, ...

RE: MIT Kerberos and Solaris 10 Kerberos #2
BTW, as a further clarification, the system was installed initially using our MIT Kerberos build (i.e. the same as we use on all of the Solaris 8 machines). I am now trying to get it to work with the Solaris 10 SEAM. One problem I see immediately (refreshing my memory with a couple quick tests) is that, when using the Sol10 SEAM to install the keytab, I immediately get: # kadmin -p rheilke/admin Authenticating as principal rheilke/admin@ATCOTEST.CA with password. Password for rheilke/admin@ATCOTEST.CA: kadmin: ktadd host/salty.atcotest.ca kadmin: Communication failure with server while changing host/salty.atcotest.ca's key kadmin: So, the Sol10 SEAM cannot seem to talk to the KDC. Rainer ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Heilke, Rainer wrote: > BTW, as a further clarification, the system was installed initially > using our MIT Kerberos build (i.e. the same as we use on all of the > Solaris 8 machines). I am now trying to get it to work with the Solaris > 10 SEAM. > > One problem I see immediately (refreshing my memory with a couple quick > tests) is that, when using the Sol10 SEAM to install the keytab, I > immediately get: > > # kadmin -p rheilke/admin > Authenticating as principal rheilke/admin@ATCOTEST.CA with password. > Password for rheilke/admin@ATCOTEST.CA: > kadmin: ktadd host/salty.atcotest.ca > kad...

Web resources about - Variable kdc on kerberos. - comp.protocols.kerberos

Variable - Wikipedia, the free encyclopedia
Text is available under the Creative Commons Attribution-ShareAlike License ;additional terms may apply. By using this site, you agree to the ...

Westpac interest rate rise is one of many variable loan rate rises
WESTPAC is not alone in hitting its owner-occupier customers with a surprise interest rate rise, as dozens of other variable rate home loans ...

Airbnb upgrades variable pricing tool for hosts
Online home rental group Airbnb is rolling out an upgraded variable pricing tool that automatically raises or cuts room rates based on supply ...

Commonwealth Bank raises variable home loan rates
Home owners' mortgage costs are set to rise by hundreds of dollars a year, after the Commonwealth Bank became the latest bank to hike interest ...

CBA lifts variable home loan rates to offset costs associated with stricter capital requirements
The Commonwealth Bank to lift its home loan interest rates independently of the Reserve Bank to partially offset costs associated with stricter ...

Washington Square Signs Spielbergs, Choi Joins Variable and More
... films and an episode of the HBO comedy series "Girls," on which he plays the role of Ray Ploshansky. New York-based creative collective Variable ...

Mozilla moves Firefox to variable release schedule
... schedule process "carefully" and learning "a lot" from it in the past years, Mozilla has announced that Firefox is now moving to a variable ...

"You have to ignore many variables to think women are paid less than men. California is happy to try." ...
Writes Sarah Ketterer in The Wall Street Journal in "The ‘Wage Gap’ Myth That Won’t Die" (which you can get to without subscribing if you Google ...

Staley: 'A lot of different variables...been a hard year'
... 41° Navigation Home Giants A's Sharks Warriors Kings 49ers Raiders Quakes Insiders More Tickets Shop Watch Staley: 'A lot of different variables...been ...

When your environment variables are showing
There are embarrassing moments in life. There is the teacher calling you out as a child in class as you stare out the window wistfully imagining ...

Resources last updated: 3/10/2016 9:38:19 PM