search for: principality

On Wed, 23 Apr 2025, Wiktor Kwapisiewicz via openssh-unix-dev wrote: > Hello, > > I'm currently evaluating using `ssh-keygen -Y verify` to check OS artifacts > (e.g. packages) and I noticed that the `-f allowed_signers_file` option can be > passed only once. A side remark: technically it can be passed multiple times > without a warning but the last invocation overrides all

Hello, I'm currently evaluating using `ssh-keygen -Y verify` to check OS artifacts (e.g. packages) and I noticed that the `-f allowed_signers_file` option can be passed only once. A side remark: technically it can be passed multiple times without a warning but the last invocation overrides all previous ones. Tested using: $ ssh-keygen -Y verify -f allowed_signers -f /dev/null -n file -s

Hello samba team ! I have some NFS4 exports managed by a Samba's Kerberos realm. All the standard user accesses work fine. I try now to setup an NFS4 root access to administer the share from another server (the two host are DC, one PDC and one SDC). But I have trouble understanding the kerberos/principals layer. ------------ Actually I do ------------- -> on the server I create an nfs

Hello, Maybe I did not understand correctly the PKI trust, so forgive me if I am wrong. For example, I have multiple hosts that all serves as monitoring server, I would like to trust only these hosts, so I enrol a certificate for these using "monitoring" principal, so I can connect only to these. At first I thought we can do Match statement at ssh_config, however, the Match is being

Thanks you very much Louis ! I have tried your setup and I can't mount the share neither from the server itself or the client. On /var/log/syslog I have : rpc.gssd : ERROR : no credentials found for connecting to server myserver This is because the machine principal is not present in the keytab : $ klist -k 1 nfs/myclient.samdom.com at SAMDOM.COM 1 nfs/myclient.samdom.com at SAMDOM.COM 1

Hai Baptiste, I re-checked my setup and your totaly correct. I can not enter the nfsV4 mounted directory as root. What i've added in idmap.conf Is this : Domain = your_DNS_domain.tld [Translation] Method = nsswitch And i found this link. http://serverfault.com/questions/526762/root-access-to-kerberized-nfsv4-host-on-ubuntu im testing this now. Greetz, Louis >

Hai, I had it the other way around. Only root acces. I have scripted my setup and tested on debian. Look here https://secure.bazuin.nl/scripts/these_are_experimental_scripts/ setup-nfsv4-kerberos.sh If you get the file, setup-nfsv4-kerberos.sh and compair it to your setup. If you can read the bash script maybe you see something you missed. When i write as "root" its root and

Dear all I'm unable to find an example of extracting the rotated scores of a principal components analysis. I can do this easily for the un-rotated version. data(mtcars) .PC <- princomp(~am+carb+cyl+disp+drat+gear+hp+mpg, cor=TRUE, data=mtcars) unclass(loadings(.PC)) # component loadings summary(.PC) # proportions of variance mtcars$PC1 <- .PC$scores[,1] # extract un-rotated scores of

Hi Rowland, Hi looks like the "-c" option is optional. My problem is not really the kerberos cache file, but the "principal" linked to the user kerbuser. The principal is HTTP/webserver.MYDOMAIN.LOCAL at MYDOMAIN.LOCAL I would like to use kinit and give this principal as parameter. something like : > kinit -k -t /root/my.keytab HTTP/webserver.MYDOMAIN.LOCAL at

Hi, I am new to samba and Kerberos so please be gentle! I have built a samba AD DC (v4.3.5) on Centos Linux from source and am trying to add a service principal and generate a keytab containing the principal. However the principal entry does not appear in the keytab. Here's what I did: [root at bones ~]# samba-tool spn add GEMSTONE64/bunk.gemtalksystems.com at

Hi all, Last week I noticed that the CertChecker in the Go implementation of x/crypto/ssh seems to be doing host principal validation incorrectly and filed the following bug: https://github.com/golang/go/issues/20273 By default they are looking for a principal named "host:port" inside of the certificate presented by the server, instead of just looking for the host as I believe OpenSSH

I am running a PCA, but would like to rotate my data and limit the number of factors that are analyzed. I can do this using the "principal" command from the psych package [principal(my.data, nfactors=3,rotate="varimax")], but the issue is that this does not report scores for the Principal Components the way "princomp" does. My question is: Can you get an

Darren, We have systems which are multihomed for virtualisation, but run only one sshd. You can connect to any IP-address and should be authenticated with gssapi/kerberos. So the client will ask for a principal host/virt-ip-X and the server has to have an entry for this in the keytab and has to select the right key by determining the hostname from the connection IP-address. There is no other way

Ok, now its clear to me. We need to set UMICH_SCHEMA in idmap.conf Read : http://linux.die.net/man/5/idmapd.conf Working on it now. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: vrijdag 9 oktober 2015 13:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] kerberos

Hello, I need to do a principal component analysis with EQUAMAX-rotation. Unfortunately the function principal() I use normally for PCA does not offer this rotation specification. I could find out that this might be possible somehow with the package GPArotation but until now I could not figure out how to use this in the principal component analysis. Maybe someone can give an example on how to do

Hi, I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed network. I have configured the setup as per Samba4 Howto. But when I try to do "samba_dnsupdate --all-names" it fails with error: dns_tkey_negotiategss: TKEY is unacceptable The kerberos ticket being used by samba_dnsupdate shows follwoing principals: klist -c /tmp/tmp6cxfgY Ticket cache: FILE:/tmp/tmp6cxfgY

Hi, Users who are interested in certificate authentication might be interested in this change: > - djm at cvs.openbsd.org 2010/05/07 11:30:30 > [auth-options.c auth-options.h auth.c auth.h auth2-pubkey.c key.c] > [servconf.c servconf.h sshd.8 sshd_config.5] > add some optional indirection to matching of principal names listed > in certificates. Currently, a

Hi OpenSSH devs, I?m wondering if the following has any merit and can be done securely ... If you could match on principals in the sshd_config, then (for example) on a gateway machine, you could have something like /etc/ssh/authorized_keys/sshfwd: cert-authority,principals=?batcha-fwd,batchb-fwd? ... /etc/ssh/sshd_config containing: Match User sshfwd PubkeyAuthentication yes

AFAIK everything you described here could be done using the AuthorizedKeysCommand or AuthorizedPrincipalsCommand directives. These can emit authorized_keys options (inc. permitopen) as well as the allowed keys/principals. On Sun, 12 Nov 2023, Bret Giddings wrote: > Hi OpenSSH devs, > > I?m wondering if the following has any merit and can be done securely ... > > If you could

Hi, When I have a service on a client that tries to use kerberos and I get errors such as these in the log.samba file: Kerberos: UNKNOWN -- host/ubuntu-test.mydomain.net @ MYDOMAIN.NET: no such entry found in hdb Does this mean that the kerberos authentication system is looking for the principal "host/ubuntu-test.mydomain.net @ MYDOMAIN.NET" in samba4's domain or in the