Displaying 20 results from an estimated 3000 matches similar to: "[ GSSAPI ] Environment settings"
2003 Oct 30
3
[Bug 751] KRB5CCNAME set incorrectly in GSSAPI code
http://bugzilla.mindrot.org/show_bug.cgi?id=751
Summary: KRB5CCNAME set incorrectly in GSSAPI code
Product: Portable OpenSSH
Version: -current
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: openssh-bugs at mindrot.org
2005 Jun 29
3
sshd deletes the GSSAPI ticket on exit
Hello All,
I have run into a situation where a user exiting from a
PAM_KERBEROS-authenticated session runs the risk of deleting a
kinit-generated credentials file that was already sitting on the server. I
will explain the problem in detail, but let me begin with my question. It
has a specific reference to PAM_KERBEROS, but it can also be a general
question.
If a user (ssh) session was
2004 Jan 26
6
OpenSSH, OpenAFS, Heimdal Kerberos and MIT Kerberos
Rather then implementing kafs in MIT Kerberos, I would like to
suggest an alternative which has advantages to all parties.
The OpenSSH sshd needs to do two things:
(1) sets a PAG in the kernel,
(2) obtains an AFS token storing it in the kernel.
It can use the Kerberos credentials either obtained via GSSAPI
delegation, PAM or other kerberos login code in the sshd.
The above two
2003 Nov 11
1
AIX KRB5CCNAME problem
I believe there is a bug in how AIX handles the KRB5CCNAME environment
variable. The symptom occurs when a root user restarts sshd while they
have KRB5CCNAME set; all of the resulting client connections will inherit
the same KRB5CCNAME variable. This can occur if the admin uses 'ksu' or
some other kerberized method of obtaining root privileges.
Investigating this problem, I stumbled
2004 May 04
3
Error with USE_POSIX_THREADS and OpenSSH-3.8p1
Hello,
I am using OpenSSH-3.8p1 on HP-UX machine with USE_POSIX_THREADS option.
This is for making the kerberos credentials file to be created in the system
with PAM. In OpenSSH versions 3.5 when authentication is done with pam
kerberos, a /tmp/krb5cc_X_Y file is created on the server side. But the
KRB5CCNAME variable is not set by default. So, after we manually set this
environment variable, the
2017 Dec 23
5
[Bug 2815] New: please set KRB5CCNAME to collection
https://bugzilla.mindrot.org/show_bug.cgi?id=2815
Bug ID: 2815
Summary: please set KRB5CCNAME to collection
Product: Portable OpenSSH
Version: 7.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Kerberos support
Assignee: unassigned-bugs
2016 Oct 11
2
Problems with GSSAPI and LDAP
On 2016-10-11 10:00, Aki Tuomi wrote:
> On 11.10.2016 10:43, Juha Koho wrote:
>>
>> On 2016-10-11 09:18, Aki Tuomi wrote:
>>> On 11.10.2016 10:13, Juha Koho wrote:
>>>> Hello,
>>>>
>>>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying
>>>> to
>>>> set up a GSSAPI Kerberos authentication with
2016 Oct 11
2
Problems with GSSAPI and LDAP
Hello,
I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to
set up a GSSAPI Kerberos authentication with the LDAP server but with
little success. Seems no matter what I try I end up with the following
error message:
dovecot: auth: Error: LDAP: binding failed (dn
(imap/host.example.com at EXAMPLE.COM)): Local error, SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS
2005 May 12
2
Problems with PAM environments in ssh
I?ve stumbled across a rather obscure problem with ssh. My machine is
setup to use Kerberos authentication, i.e., I use the pam_krb5 module in
the ssh auth section of the PAM configuration file and I have sshd
compiled to accept valid Kerberos 5 tickets as well. I also use OpenAFS,
so I?ve got the pam_openafs_session module in the ssh session section of
the PAM configuration file.
Everything
2017 Aug 05
3
Printing with smbspool_krb5_wrapper not working in Ubuntu 16.04
> > I should have mentioned this earlier, but the users does not exist
> > in /etc/passwd, instead they are in LDAP and when they log in to the
> > computer they get some Kerberos tickets for the domain and the file
> > system. When printing on 14.04 they get another Kerberos ticket for
> > the printing system according to "klist" after they have done
2016 Oct 11
2
Problems with GSSAPI and LDAP
On 2016-10-11 09:18, Aki Tuomi wrote:
> On 11.10.2016 10:13, Juha Koho wrote:
>> Hello,
>>
>> I have a Dovecot 2.2.25 set up with OpenLDAP back end. I was trying to
>> set up a GSSAPI Kerberos authentication with the LDAP server but with
>> little success. Seems no matter what I try I end up with the following
>> error message:
>>
>> dovecot:
2003 Sep 24
1
Patches for compatibility with Heimdal's libsia_krb5 SIA module
I have found the following patches to be desirable for using sshd on a
Tru64 UNIX system with the Kerberos 5 SIA module (libsia_krb5.so) from
Heimdal.
These patches do the following:
1) preserve context between the password authentication and the session
setup phases. This is necessary because the Heimdal SIA module stores
Kerberos context information as mechanism-specific data in
2003 Nov 12
2
[Bug 757] KRB5CCNAME inherited from root's environment under AIX
http://bugzilla.mindrot.org/show_bug.cgi?id=757
Summary: KRB5CCNAME inherited from root's environment under AIX
Product: Portable OpenSSH
Version: -current
Platform: PPC
OS/Version: AIX
Status: NEW
Severity: minor
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
2017 Feb 11
2
[RFC][cifs-utils PATCH] cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file
Chad reported that he was seeing a regression in cifs-utils-6.6. Prior
to that, cifs.upcall was able to find credcaches in non-default FILE:
locations, but with the rework of that code, that ability was lost.
Unfortunately, the krb5 library design doesn't really take into account
the fact that we might need to find a credcache in a process that isn't
descended from the session.
When the
2004 Feb 27
1
[PATCH] Getting AFS tokens from a GSSAPI-delegated TGT
Here is a patch I just wrote and tested which may be of interest to
those who wish to use KerberosGetAFSToken (currently requires Heimdal
libkafs) in combination with GSSAPIDelegateCredentials. The patch is
in the public domain and comes with no warranty whatsoever. Applies
to pristine 3.8p1. Works for me on Solaris and Tru64.
I'd probably have used Doug Engert's patch from 2004-01-30 if
2016 Oct 11
2
Problems with GSSAPI and LDAP
On 2016-10-11 11:03, Aki Tuomi wrote:
> On 11.10.2016 11:56, Juha Koho wrote:
>>
>> On 2016-10-11 10:00, Aki Tuomi wrote:
>>> On 11.10.2016 10:43, Juha Koho wrote:
>>>>
>>>> On 2016-10-11 09:18, Aki Tuomi wrote:
>>>>> On 11.10.2016 10:13, Juha Koho wrote:
>>>>>> Hello,
>>>>>>
2009 Sep 19
1
cifs.upcall not respecting krb5ccname env var?
Hello,
I've been doing some extensive troubleshooting with respect to some issues
mounting CIFS shares on a Windows box via Kerberos. We're using the command:
/sbin/mount.cifs //whatever/whatever /whatever -o sec=krb5i
This should mount the share using Kerberos & Packet-signing by using the
cached credentials of the user executing the command. With judicious use of
strace, it
2017 Feb 14
3
[PATCH v2 0/2] cifs.upcall: allow cifs.upcall to grab $KRB5CCNAME from initiating process
Small respin of the patches that I posted a few days ago. The main
difference is the reordering of the series to make it do the group
and grouplist manipulation first, and then the patch that makes
it grab the KRB5CCNAME from the initiating process.
I think the code is sound, my main question is whether we really
need the command-line switch for this. Should this just be the
default mode of
2019 Mar 02
2
Running off pre-created keytabs
On Sat, 2 Mar 2019 10:25:49 +0100
Michael Ströder <michael at stroeder.com> wrote:
> On 3/1/19 10:17 PM, Rowland Penny via samba wrote:
> > You don't need to precreate the computer, the join with 'net' will
> > do it for you.
>
> But then I need to have administrative rights on the OU for the admin
> doing the actual join. For security reasons I
2017 Nov 23
2
Compiling Samba 4.7 with systemd support on Fedora 26
Am 23.11.2017 um 23:03 schrieb Rowland Penny via samba:
> On Thu, 23 Nov 2017 21:46:17 +0000
> Arnab Roy <arniekol at gmail.com> wrote:
>
>> The systemd unit file looks like as follows:
>>
>> [Unit]
>> Description=Winbindd Service
>> After=syslog.target network.target
>>
>> [Service]
>>