similar to: OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found

Howdy list, Sorry if this is a frequently discussed topic, or an off-topic question, but I couldn't find much info about my question by performing quick searches in the archives, and my question is pretty tightly related to security... Background: =========== I have a number of FreeBSD machines. Most are 4.x, but a few are 5.x (mainly the testing/devel machines). I also have a single Red

On 10/1/2020 8:41 AM, Rowland penny via samba wrote: > On 01/10/2020 13:38, Jason Keltz via samba wrote: >> On 10/1/2020 8:34 AM, Rowland penny via samba wrote: >> >>> On 01/10/2020 13:30, Jason Keltz via samba wrote: >>>> On 10/1/2020 8:28 AM, Rowland penny via samba wrote: >>>> >>>>> On 01/10/2020 13:17, Jason Keltz via samba wrote:

Hi All. OpenSSH is getting ready for a release soon, so we are asking for all interested parties to test a snapshot. Changes include: * sshd will now re-exec itself for each new connection (the "-e" option is required when running sshd in debug mode). * PAM password authentication has been (re)added. * Interface improvements to sftp(1) * Many bug fixes and improvements, for

On 10/1/2020 4:10 PM, Rowland penny via samba wrote: > On 01/10/2020 20:47, Jason Keltz via samba wrote: >> >> Hi Rowland, >> >> In my case, I think I may know why pam_winbind is not renewing the >> ticket before it expires. >> > I don't think it matters about the extra characters in the ticket > name, I think the ticket search looks for a ticket

Here is a patch I just wrote and tested which may be of interest to those who wish to use KerberosGetAFSToken (currently requires Heimdal libkafs) in combination with GSSAPIDelegateCredentials. The patch is in the public domain and comes with no warranty whatsoever. Applies to pristine 3.8p1. Works for me on Solaris and Tru64. I'd probably have used Doug Engert's patch from 2004-01-30 if

On Fri, 2017-02-10 at 11:15 -0600, Chad William Seys wrote: > Hi Jeff, > > > So we have a default credcache for the user for whom we are operating > > as, but we can't get the default principal name from it. My guess is > > that it's not finding the > > This mount is run by root UID=0 and seems to be find that credential > cache without problem (earlier

I?ve stumbled across a rather obscure problem with ssh. My machine is setup to use Kerberos authentication, i.e., I use the pam_krb5 module in the ssh auth section of the PAM configuration file and I have sshd compiled to accept valid Kerberos 5 tickets as well. I also use OpenAFS, so I?ve got the pam_openafs_session module in the ssh session section of the PAM configuration file. Everything

I am running dovecot 2.1.7 on Debian Squeeze 64 bit, config information at the end of the email. I am working on a Kerberos/GSSAPI based setup that requires cross-realm authentication. I have regular GSSAPI working, I can log in using pam_krb5 with password based logins or with the GSSAPI support when using a kerberos ticket in the default realm. However when I attempt to authenticate using

Hi, I have a Debian Stretch computer which is a "samba4 member server" of an Samba4 AD domain (versions etc. are mentioned at the end of the message). I think my config is OK and I can open a _graphical_ session with an AD account user. The display manager of the computer is Lightdm. For for instance, I can open a graphical session with the AD account bob (uid == 14001). In this case, I

http://bugzilla.mindrot.org/show_bug.cgi?id=926 ------- Comment #21 from t8m at centrum.cz 2006-08-05 01:18 ------- The patch causes a regression with pam_krb5 module. See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201341 As I said above I think that the only correct solution which would solve all cases (privsep yes/no, root/regular user) would be to add another fork before the

Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two

Good day everyone, I am currently testing integrating kerberos into our MMR openldap cluster and things have gone well so far. I can ssh to my test clients using my kerberos credentials then ssh using GSSAPI to other hosts as defined in my principals using my ticket, achieving SSO. *I wanted to see if I could make the cache file user-specific, instead of the default location

Hello, in the BSD Authentication system the login script can request environment variables to be set/unset. The call to auth_close() in auth-passwd.c does change the current environment, but those changes are lost for the child environment. It would be really useful to add some kind of mechanism to get those changes into the child environment. I've added two possible solutions. Both

I'm using a OpenSSH 3.0.2p1 with the krb5 patch from <http://www.sxw.org.uk/computing/patches/openssh.html>. I'm getting KRB5CCNAME set to "" even though <http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98269278629018&w=2> mentions fixing it. This causes things like kinit to fail with a somewhat uninformative error message. The relevant sshd_config lines

Hello, Prequalify: I'm quite a novice w/ Kerberos, so my terminology and assumptions may be rough. Also, please CC me since I'm not a list subscriber. I'm running a fairly recent -STABLE [1] and have installed the base Heimdal Kerberos implementation via the MAKE_KERBEROS5 knob in /etc/make.conf. I'm having the problem that I don't see a cached credential file being created

Hello, I've been doing some extensive troubleshooting with respect to some issues mounting CIFS shares on a Windows box via Kerberos. We're using the command: /sbin/mount.cifs //whatever/whatever /whatever -o sec=krb5i This should mount the share using Kerberos & Packet-signing by using the cached credentials of the user executing the command. With judicious use of strace, it

> FWIW, here are further patches which allow openssh-3.0p1 to work > with paleo-MIT Kerberos5 1.0.6, more or less (more with tickets > and less with the auth_krb5_password {get,verify}_init_creds stuff). Thanks for these. Unfortunately, your vrs patches seem to be based on an earlier version of my patch than the one you're bundling. In particular, your patch adds back in the

I'm in a situation here at work where I'm trying to support a mixed network of OS X and RHEL desktop machines with a Postfix/Dovecot combination. - user account information is stored in LDAP - user credentials are in MIT Kerberos - server is running RHEL 6/Dovecot 2.0.9/Postfix 2.6.6 I am currently using the PAM passdb module to authenticate my users (I began to have trouble

I'm trying to get openssh to work with SEAM(Solaris Enterprise Authentication Mechanism) on Solaris 9. I have a few questions. Any help would be appreciated. I am working with openssh 3.8. 1. First of all, does anyone know if it is possible to get openssh working with SEAM? 2. Which options do i need to use when compiling openssh? Do i need to use --with-kerberos5=kerbpath or --with-pam

I am getting a bit confused about which methods to use to keep my passwords synced given the following scenario. Samba PDC using LDAP backend. LDAP uses {SASL}princ@REALM type passwords Sasl mechanism is saslauthd using kerberos5 I can use pam like: password required pam_smbpass.so password required pam_krb5.so use_first_pass and then passwd will set both passwords but how can I make it