similar to: Central principal->user@host management?

Greetings, I'm working on the infrastructure of a medium size client/server environment using an Active Directory running on Windows Server 2003 for central authentication of users on linux clients. Additionally OpenAFS is running using Kerberos authentication through Active Directory as well. Now I want to grant users remote access to their AFS data by logging in into a central OpenSSH

I am running dovecot 2.1.7 on Debian Squeeze 64 bit, config information at the end of the email. I am working on a Kerberos/GSSAPI based setup that requires cross-realm authentication. I have regular GSSAPI working, I can log in using pam_krb5 with password based logins or with the GSSAPI support when using a kerberos ticket in the default realm. However when I attempt to authenticate using

--On Monday, May 14, 2007 9:16 PM -0700 Jos Backus <jos@catnook.com> wrote: > ObPuppet: we ramping up our deployment this week to around 200 hosts. So > far everything has been going smoothly. We don''t have nearly as many and yet, we see occasional errors ("End of file reached") which seems to indicate the network cutting out. I can''t imagine what would

This patch updates the files under popt/ to the latest vendor drop. The only change is the inclusion of a FreeBSD-specific patch to popt.c. This is needed in case somebody decides to build rsync on that platform without using the port. I'm not happy about the wording in popt/README.rsync so I may change it. The patch is available at http://www.catnook.com/rsync-popt-1.5.1.patch Comments

Perhaps now is a good time to commit this patch which updates the included popt to version 1.7. This has been tested on FreeBSD and Solaris. http://www.catnook.com/patches/rsync-popt-1.7.diff Comments? -- Jos Backus _/ _/_/_/ Sunnyvale, CA _/ _/ _/ _/ _/_/_/ _/ _/ _/

Quick and dirty: --- lib/facter.rb (revision 203) +++ lib/facter.rb (working copy) @@ -989,6 +989,18 @@ %x{/usr/sbin/scutil --get LocalHostName} end end + Facter.add(:interfaces) do + confine :kernel => :linux + setcode do + %x{/sbin/ifconfig -a -s}.split($/)[1..-1].collect {|line|

Is there a way to specify on a per-object basis that Puppet should merely report that an object needs to be updated without actually performing the update? This would make it possible to detect changes to critical objects (e.g. config files) that Puppet shouldn''t try to fix automaticaly. -- Jos Backus jos at catnook.com

This patch against OpenSSH 3.2.3p1 implements an ssh-agent authentication retry mechanism which is useful when starting many ssh clients in a short period of time. The number of retries and the maximum delay between retries is runtime-configurable using AuthMaxRetries <integer> AuthRetryDelay <seconds> The patch is available at:

http://www.catnook.com/patches/rsync-popt-1.6.4.patch has a patch which upgrades the popt included with rsync to the latest version, 1.6.4. The configure script had to be regenerated (with autoconf 2.53) because popt.c wants HAVE_FLOAT_H. As an aside, I have heard people complain about this version of autoconf generating scripts that break when run under bash (as /bin/sh). Comments? -- Jos

FYI: We have a custom `checkout'' type which stopped working when migrating from 0.22.4 to 0.23.2-ish. This turned out to have been caused by the location of property.rb changing between 0.22.4 (puppet/type/property.rb) and 0.23.2-ish (puppet/property.rb). (I say 0.23.2-is because I''m using 40491ebe7ca9692b57fb533412ece8fb694b7d4c since it only has a few extra bugfixes over

Hello, SSH supports ~/.ssh/authorzied_keys for SSH keys and ~/.ssh/authorized_principals for X509 certs. I could not find an equivalent of authorzied_keys using Kerberos authentication. IMHO it should be possible using the Kerberos principal very much like the principal contained inside a X509 certificate. My main use case is assigning a specific command to a user logging in using Kerberos

Hi, we are currently moving our mailserver to a new server with Dovecot, virtual users in LDAP, Passwords in Kerberos Setup. Everything works fine except for GSSAPI which seems to be a bit buggy. The thing is, that when using a .k5login [1] file it seems that SASL does not get passed the home directory specified userdb. In other words, mails for user1 (see below) are stored in

One particular use of Puppet would be to serve as a machine fact/configuration retrieval tool. So in order to produce a list of packages with version-release info installed on each machine something along the lines of the following code could be run: require ''puppet'' Puppet::Type.type(:package).defaultprovider.list.each do |package| puts

This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and other principal names in authorized_keys entries. It's a sort of replacement for .klogin and .k5login, but it's much more general than .k*login as it applies to any authentication mechanism where a name is associated with the ssh client and it supports name patterns and all the normal authorized_keys entry options

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a

Hi, I was wondering if there is any of getting the gem package provider to run non-interactively? When upgrading mongrel it fails because it gets prompted for which version to install: Attempting remote update of mongrel Select which gem to install for your platform (x86_64-linux) 1. mongrel 1.1.1 (ruby) 2. mongrel 1.1.1 (jruby) 3. mongrel 1.1.1 (mswin32) 4. mongrel 1.1 (mswin32) 5.

I''d like to keep the desired and current states of a machine regarding it''s configuration. Sometimes a chain of administrative commands is needed to get a special thing (re)configured on a machine, e.g. reconfig of a suncluster. This cannot be done with puppet in an easy way. In the majority of cases, these commands change appropriate files, which reflect the current

For anyone that has experienced the odd End of file or Cannot describe errors, we''ve found that switching to Mongrel has fixed this problem for us. We''re currently running 5 instance of puppetmaster under mongrel (with the apache proxy in front) and things are going great. For more information on setting up Mongrel, visit:

Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide

Hi, I have an application which is dying horrible deaths (i.e. segmentation faults) in mid-flight, in production... And of course, I should fix it. But while I find and fix the bugs, I found something I think should be different - I can work on submitting a patch, as it is quite simple, but I might be losing something on my rationale. When Mongrel segfaults, it does not -obviously- get to clean