search for: authz

HI! I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and description for CLI arg -O in ssh-keygen(1). It seems to me that there could be a 1:1 mapping between SSH cert extensions and authz key options by just adding prefix "permit-" to the key option. But the man pages differ regarding case of "permit-x11-forwarding" and "X11-forwarding". [1] also says "permit-X11-forwarding". So it might only be typo in ssh-keygen(1). Questions: Is there a...

...ller wrote: > On Fri, 12 Jan 2018, Michael Str?der wrote: >> I'm looking at sshd(8), section AUTHORIZED_KEYS FILE FORMAT and >> description for CLI arg -O in ssh-keygen(1). >> >> It seems to me that there could be a 1:1 mapping between SSH cert >> extensions and authz key options by just adding prefix "permit-" to the >> key option. > > No, they are separate namespaces that happen to share similar options. Hmm... >> But the man pages differ regarding case of "permit-x11-forwarding" and >> "X11-forwarding"....

...er is still subject to ACLs just like any other user, which means that by default the master user has no access to any mailboxes of the user." ... and that the standard workaround is to return master_user=%u from the userdb. But why is the master_user authn-id used in the ACLs and not the authz-id (requested-login-user) ? Isn't the whole point of SASL authz-id semantics to have authorization resolved based on the authz-id? /Peter

I've downloaded the latest DB2 client, and its ODBC registration program complains that this is missing. No threads or references here. There didn't appear to be a download for it at M$. A search yielded lots o sites that offered it. Any recommendations? thanks

...he common complaint that users loose supplementary group access after a while - in our case it seems to be connections left overnight. Restarting smb fixes it. I haven't been able to determine the cause. From the logs I've been able to determine a bad access looks something like this: AuthZ reports a S-1-5-21- SID: [2020/05/14 09:49:40.474490, 4] ../../auth/auth_log.c:751(log_successful_authz_event_human_readable) Successful AuthZ: [lsarpc,ncacn_np] user [DOMAIN]\[user] [S-1-5-21-DOMAIN_SID] at [Thu, 14 May 2020 09:49:40.474481 PDT] Remote host [ipv4:Y.Y.Y.Y:54184] local host [ipv...

...d about the rationale for not just forward the SASL handshake. - First, blindly forwardning will not do, since the mech data has to be decoded anyway to do any per/user passdb lookup (to, say, find the target host). But you don't need authentication to actually succeed to do that. You only need AuthZ-id or AuthN-id. - Secondly, the design of the interaction between imap-login processes and the auth-service in general prevent in general to forward multi-handshake SASL mechanisms, since the authentication must be done before the proxying can be started. But it doesn't prevent forwarding of s...

...ice > and bob? Wouldn't that allow alice to ssh as alice, and www, and allow > bob to ssh as bob and www to any machines that had this > authorizedPrincipals file configuration? this is the right answer. you want to use AuthorizedPrincipalsFile (or AuthorizedPrincipalsCommand if your authz information needs to change on a quicker cadence than your config pushes) on the machines. you'd have something like $ cat /etc/ssh/sshd_config <snip> TrustedUserCAKeys /etc/ssh/TrustedUserCAKeys Match User www AuthorizedKeysFile /etc/ssh/empty AuthorizedPrincipalsFile /etc/ssh/ww...

....7.5 debian 9.3 installed as join dc in existing domain on samba 4.1 everiting look like working but some windows member stop to have access to shares on dc by ip connect by \\full_domain_name work there some log in samba dc [2018/02/20 15:15:00.652467, 4] ../auth/auth_log.c:860(log_successful_authz_event_human_readable) Successful AuthZ: [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Tue, 20 Feb 2018 15:15:00.652451 +07] Remote host [ipv6::::0] local host [ipv6::::0] [2018/02/20 15:15:00.652521, 4] ../auth/auth_log.c:220(log_json) JSON Authorization: {"timestamp&quot...

Hi. I''m using Apache2.2 built from source + mod-proxy + ssl + svn. Everything works fine but I''m sure you I could disable a ton of modules during the build process and in httpd.conf to speed things up and run a tighter memory footprint. Has anyone bothered building Apache2.2 from source disabling all the unneeded modules. I am planning on going through the Apache docs but I

...CONNECTION_DISCONNECTED' [2018/04/03 15:38:03.801475, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2018/04/03 15:38:03.823029, 4] ../auth/auth_log.c:860(log_successful_authz_event_human_readable) Successful AuthZ: [DCE/RPC,ncacn_np] user [TESTE]\[Administrator] [S-1-5-21-3073023332-2932986482-1183422282-500] at [Tue, 03 Apr 2018 15:38:03.823015 -03] Remote host [ipv4:10.255.1.104:63313] local host [ipv4: 10.255.0.3:445] [2018/04/03 15:38:03.823097, 4] ../auth/auth_l...

I''ve seen a lot of issue regarding the stability of Rails apps. I''m charged with investigation of Rails for my company and I''ve looked at numerous fourms, groups, etc. (Textdrive, here, etc.) and it *seems* like there is a stability problem with Rails (ie: crashes, etc.) Is this as common as it looks, or is this tied to things like Lighttpd (web server) or Typo

...com,192.168.22.222): result: mailHost(host)=xx.xx.xx.xx Nov 30 14:27:28 dougie dovecot: auth(default): ldap(some_user at example.com,192.168.22.222): invalid credentials (given password: master_password) Nov 30 14:27:28 dougie dovecot: auth(default): client out: FAIL 1 user=some_user at example.com authz nodelay host=xx.xx.xx.xx proxynologin pass=master_password master=master_user at example.com Nov 30 14:27:28 dougie dovecot: pop3-login: Ignoring unknown passdb extra field: authz -- View this message in context: http://old.nabble.com/Dovecot-1.2.x-masteruser-proxy-problem-tp26574804p26574804.h...

...ngth output token. Dovecot currently sends this to the client as a zero-length continuation response, but this is incorrect according to RFC 4752: what it ought to do instead is proceed straight to the security layer negotiations, and send a gss_wrap packet. The second is that Cyrus sends an empty authz identity; that is, the security layer negotiation packet, when gss_unwrapped, is exactly 4 bytes long. Dovecot objects to this, but in RFC 4422 this is explicitly allowed, and means the authz identity is identical to the authn identity. I believe the attached patches (for the 1.2 and 2.1 branches)...

...ar removed from pushing out ~/.ssh/authorized_keys for each user. I was hoping to avoid the dependency on configuration management by carrying the authorization in the certs themselves - if that is in the spirit of the SSH cert mechanism. On 30/01/2020 16:05, Michael Str?der wrote: > Adding authz information to user certs means that you need to renew the > cert if the authz information changes during cert life-time. This can be > annoying for users. > > How long should your user certs be valid? I think on an initial implementation I'd go with 3-month certs, perhaps using a...

...ult.c:151(smb_panic_default)   PANIC: internal error [2018/05/28 17:35:52.305123,  0] ../source4/smbd/process_standard.c:158(standard_child_pipe_handler)   standard_child_pipe_handler: Child 14753 () terminated with signal 6 [2018/05/28 17:35:53.345432,  4] ../auth/auth_log.c:860(log_successful_authz_event_human_readable)   Successful AuthZ: [LDAP,krb5] user [DOMAINXXXX]\[USERYYYYY] [S-1-5-21-1156415912-958998882-3220085130-1180] at [Mon, 28 May 2018 17:35:53.3 45385 -03] Remote host [ipv4:192.168.51.210:57372] local host [ipv4:172.16.1.102:389] [2018/05/28 17:35:53.352761,  0] ../lib/util/...

On 02/17/2017 01:11 PM, Pete Biggs wrote: >> From error.log: >> >> [Fri Feb 17 12:56:33.478024 2017] [authz_core:error] [pid 5759] [client >> 192.168.160.12:48290] AH01630: client denied by server configuration: >> /usr/share/postfixadmin > So it's an authorisation issue. In your .htaccess file change > > Order allow,deny > Allow from all > > to the apache...

...to DomB when I use explorer to browse to the share as DomA\user I receive the error "Access is denied". Users from DomB can access sysvol from Windows without issue. When DomA\user tries to connect to DomB's DC\sysvol, authentication is working as I get this in the logs: Successful AuthZ: [srvsvc,ncacn_np] user [DomA]\[user] [SID] at [Thu, 09 Jan 2020 14:52:05.969891 PST] Remote host [ipv4:xxx.xxx.xxx.xxx:60237] local host [ipv4:xxx.xxx.xxx.xxx:445] DomB DC's smb.conf is as follows: # Global parameters [global] workgroup = DOMB realm = domb netbios name...

...fter the add there are lookups for the machine account and then another add is attempted which fails with a duplicate: slapd[30427]: conn=32 fd=30 ACCEPT from IP=127.0.0.1:40399 (IP=:: 389) slapd[30429]: conn=32 op=0 BIND dn="cn=admin,dc=pmmc,dc=com" method=128 slapd[30429]: conn=32 op=0 AUTHZ dn="cn=admin,dc=pmmc,dc=com" mech=simple ssf=0 slapd[30429]: conn=32 op=0 RESULT tag=97 err=0 text= slapd[30427]: conn=33 fd=31 ACCEPT from IP=127.0.0.1:40400 (IP=:: 389) slapd[30560]: conn=33 op=0 BIND dn="cn=admin,dc=pmmc,dc=com" method=128 slapd[30560]: conn=33 op=0 AUTHZ dn=...

Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and

...Refs)   ../source4/rpc_server/drsuapi/updaterefs.c:374: Refusing DsReplicaUpdateRefs for sid S-1-5-21-454945863-777199239-1595221609-1112 with GUID 0acce4bc-1193-4609-8e4d-a0771bb6fb76 Log on target DC dcnh1: ============== [2017/12/27 08:20:55.278559,  5] ../auth/auth_log.c:860(log_successful_authz_event_human_readable)   Successful AuthZ: [DCE/RPC,ncacn_ip_tcp] user [NT AUTHORITY]\[ANONYMOUS LOGON] [S-1-5-7] at [Wed, 27 Dec 2017 08:20:55.278538 CET] Remote host [ipv4:192.168.172.14:36196] local host [ipv4:192.168.152.15:135] [2017/12/27 08:20:55.278641,  5] ../auth/auth_log.c:220(log_jso...