search for: gss_c_no_nam

(was: "Re: Pending OpenSSH release, call for testing", topic drift at its finest :-) Markus Moeller wrote: > Douglas, > > OK three possible settings(hostname,connection IP,GSS_C_NO_NAME) are fine for me too. Does GSS_C_NO_NAME relate to this bug (addressless tickets)? http://bugzilla.mindrot.org/show_bug.cgi?id=488 BTW, I opened a bug the the multihomed thing a couple of days ago: http://bugzilla.mindrot.org/show_bug.cgi?id=928 -- Darren Tucker (dtucker at zip.com.au) GPG key...

...s and should be authenticated with gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the server has to have an entry for this in the keytab and has to select the right key by determining the hostname from the connection IP-address. There is no other way to this (except with GSS_C_NO_NAME, which I haven't tested)than having a keytab entry per interface, which isn't a problem as gss_import will select the right one. Kerberos depends on a one-to-one mapping of hostname to ip-address. You should never have a hostname with two ip-addresses, Kerberos won't normaly work....

On Wed, 1 Feb 2017 07:30:19 -0800 Chris Stankevitz <chrisstankevitz at gmail.com> wrote: > On Wed, Feb 1, 2017 at 1:12 AM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > He is also unlikely to be running avahi, he is using Freebsd 10.3 > > truss (like strace) showed that wbinfo, net, and sshd were all hanging > after system calls to getuid() and

...> > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ >     --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1. > internal.domain.tld at REALM \ >     #Or if you dont have the SPN set. --kerberos > /usr/lib/squid/negotiate_kerberos_auth  -r -i -s GSS_C_NO_NAME \  >     --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego -- > domain=NTDOM > > And use ldap for the groups. Amos explain these thing better then me > ;-)  > Google this : [squid-users] external_acl_type LDAP for acl NOT > related to auth > And Re: [squid-users] Any...

I've not clear if is a squid or a samba/ntlm_auth trouble... indeed... In Squid i've added: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG --require-membership-of='LNFFVG\Domain Users' auth_param ntlm children 5 but in 'cache.log' i got: Winbindd lookupname failed to resolve 'LNFFVG\Domain into a SID! Winbindd

...low dont. > >> >> auth_param negotiate program >/usr/lib/squid3/negotiate_wrapper_auth -d \ >> --ntlm /usr/bin/ntlm_auth --diagnostics >--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ >> --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s >GSS_C_NO_NAME >> or >> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \ >> --ntlm /usr/bin/ntlm_auth --diagnostics >--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ >> --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s >GSS_C_NO_NAME >>...

...>>> auth_param negotiate program >>/usr/lib/squid3/negotiate_wrapper_auth -d \ >>> --ntlm /usr/bin/ntlm_auth --diagnostics >>--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ >>> --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s >>GSS_C_NO_NAME >>> or >>> auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \ >>> --ntlm /usr/bin/ntlm_auth --diagnostics >>--helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD \ >>> --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s >&g...

...gotiate auth. ( and use SSO ). auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at REALM \ #Or if you dont have the SPN set. --kerberos /usr/lib/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM And use ldap for the groups. Amos explain these thing better then me ;-) Google this : [squid-users] external_acl_type LDAP for acl NOT related to auth And Re: [squid-users] Any suggestions or comments about my configur...

...emoved |Added ---------------------------------------------------------------------------- CC| |simon at sxw.org.uk ------- Comment #2 from simon at sxw.org.uk 2006-08-19 08:31 ------- I'd rather see us move towards just using GSS_C_NO_NAME as the acceptor credential. However, library support for this is still emerging. [Sorry for the bad formatting of this, and my previous bug posts ...] ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Hi, This is another attempt to get my gssapi for multi homed systems into openssh. Please find attach a small change so that gssapi authentication works on multihomed systems. Regards Markus -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.8p1-mm.diff Type: application/octet-stream Size: 3599 bytes Desc: not available Url :

...fter starting gse_krb5. This happened multiple times. Starting GENSEC submechanism gse_krb5 Client request timed out, shutting down sock 23, pid 89266 final write to client failed: Broken pipe 3. A complainted about gss_acquire_creds. This happened multiple times. gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials w ere unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR Failed to setup SPNEGO negTokenInit request: NT...

Having problems with rfc2307 user ids. This was working briefly and now it’s not. samba and winbind v 2.4.2.10+dfs wbinfo -u lists all the domain users wbinfo -g lists all the domain groups getent group lists all the local groups and the AD domain groups that have a UNIX gid set getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t

...s showing up with a high level of debug for winbind: [2016/07/25 23:15:24.221239, 5] ../auth/gensec/gensec_start.c:672(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2016/07/25 23:15:24.263941, 5] ../source3/librpc/crypto/gse.c:265(gse_init_client) gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. [2016/07/25 23:15:24.264068, 4] ../auth/gensec/gensec_start.c:679(gensec_start_mech) Failed to start GENSEC cli...

...tered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An internal error occurred...

Hi, I have posted the following message to Squid-Users forum ( squid-users at lists.squid-cache.org). "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now my Squid authentication doesn't work. In samba 4.2.1 is working properly. This is my authentication block: auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b DC=empresa,DC=com,DC=br -D

Dear Rowland Strange thing is that I do not receive notification on my email about your answers. Here we run an internal DNS. Samba was configured with Bind 9 as secondary DNS. When I put in domain.local settings, it is because we omit the company name. But the name of my domain ends with .local. I disabled Avahi daemon. When I try to run the command you quoted: smbclient -k -L

...--helper-protocol=gss-spnego --domain=NTDOM auth_param negotiate children 30 startup=5 idle=5 auth_param negotiate children 10 auth_param negotiate keep_alive on If you serve multiple Kerberos realms add a HTTP/fqdn at REALM service principal per realm to ?????? the HTTP.keytab file and use the -s GSS_C_NO_NAME option with negotiate_kerberos_auth. ? Greetz, ? Louis ? ? Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Randi Indrawan Verzonden: vrijdag 23 augustus 2019 3:28 Aan: squid-users at lists.squid-cache.org Onderwerp: [squid-users] AD user Login + Squid Proxy + Autom...

...tered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR SPNEGO login failed: An internal error occurred...

...h -s > HTTP/hostname.internal.dnsdomain.tld at REALM \ > --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego > --domain=NTDOM > > Or > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s > GSS_C_NO_NAME \ > --ntlm /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM If you > have problem with A/PTR record matching in your REALM and upn/spn. > > > This is what works with samba +ldap + tls. > ## SSL enabled ( URI format -H ) > auth_param basic pro...

If I am trying to build OpenSSH 6.6 with Kerberos GSSAPI support, do I still need to get Simon Wilkinson's patches? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |