Displaying 20 results from an estimated 200 matches similar to: "GSSAPI cross-realm still broken"
2009 Mar 03
2
GSSAPI cross-realm fixed
Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes
cross-realm GSSAPI authentication.
Changes it makes:
1. When using krb5_kuserok, do not call gss_compare_name to check that
authn_name and authz_name are the same. Instead, make TWO calls to
krb5_kuserok, one for each ID. If both IDs are acceptable, allow the
login.
2. Disable checking that the name is a
2009 Jul 29
1
authn_name and authz_name differ: not supported
Hello,
I'm trying to authenticate using GSSAPI, but getting this in dovecot.log
"authn_name and authz_name differ: not supported". What is actually
trying to say me? I've remeber once encounter this problem but it get
away silently.
I'm using Mozilla Thunderbird 3 beta 3 and Dovecot 1.0.15
2012 Aug 10
11
[Bug 2032] New: Local user name in krb5_kuserok call
https://bugzilla.mindrot.org/show_bug.cgi?id=2032
Priority: P5
Bug ID: 2032
Assignee: unassigned-bugs at mindrot.org
Summary: Local user name in krb5_kuserok call
Severity: normal
Classification: Unclassified
OS: AIX
Reporter: miguel.sanders at uniforce.be
Hardware: PPC
Status: NEW
2011 Mar 10
1
Dove cot+Kerberos
Hi All.
I have a problem with authorization users AD via kerberos in
Dovecot&Postfix.
Windows SRV 2008 Standart - AD
mail server: Gentoo + cyrus-sasl + postfix + dovecot with support
ldap&kerberos.
I am created a 4 keytabs on Windows box.
C:\Users\Admin>ktpass -princ host/srv-mail.cn.energy at CN.ENERGY -mapuser
ldapmail at CN.ENERGY -pass "superpasswd" -crypto RC4-HMAC-NT
2007 Oct 10
0
GSSAPI Cross-Realm Patch
I've written a GSSAPI cross-realm auth patch for people not lucky enough
to have the __gss_userok function, though it should apply pretty cleanly
with that patch in place as well.
The patch is available at:
http://zinux.cynicbytrade.com/svn/servers/dovecot/cross-realm.diff.bz2
It works for me on MIT-kerb, and I tested compilation against heimdal,
but I don't have a cross-realm setup
2009 Mar 27
1
Patch for default Kerbers realm in AIX
Hi
I'm currently observing a rather bizarre situation when using password based Kerberos authentication in OpenSSH on AIX.
Even though AIX can authenticate a user via Kerberos (using the KRB5A load module), OpenSSH cannot Kerberos authenticate this user.
This is caused by the fact that the user has two attributes which OpenSSH doesn't take into account when forming the principal name of
2009 Aug 28
1
GSSAPI Authentication Broke with Dovecot 1.1.16 -> 1.2.4 Upgrade
This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a
FreeBSD 7.2 server, and then spent 3 hours trying to figure out why
GSSAPI authentication had broken.
It turned out to be a recent change in Dovecot's mech-gssapi.c to do
with checking for NULs in usernames: everything worked fine when I
disabled that test.
<http://hg.dovecot.org/dovecot-1.2/rev/5d53b1d66d1b>
This
2013 May 09
1
Crossrealm Kerberos problems
I am running dovecot 2.1.7 on Debian Squeeze 64 bit, config information
at the end of the email.
I am working on a Kerberos/GSSAPI based setup that requires cross-realm
authentication. I have regular GSSAPI working, I can log in using
pam_krb5 with password based logins or with the GSSAPI support when
using a kerberos ticket in the default realm.
However when I attempt to authenticate using
2005 Oct 19
2
[PATCH] Support for GSSAPI SASL Mechanism
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Attached is a patch against current CVS that adds support for the
GSSAPI SASL mechanism. It was written from scratch, after reading the
patch from Colin Walters against a much older version of dovecot.
Other then support for the 'GSSAPI' mechanism, it contains the
following changes:
- - Added 'auth_krb5_keytab' option for
2005 Nov 27
3
OpenSSH and Kerberos / Active Directory authentication problems: Credentials cache permission incorrect / No Credentials Cache found
Greetings,
I'm working on the infrastructure of a medium size client/server
environment using an Active Directory running on Windows Server 2003 for
central authentication of users on linux clients.
Additionally OpenAFS is running using Kerberos authentication through
Active Directory as well.
Now I want to grant users remote access to their AFS data by logging in
into a central OpenSSH
2009 Jun 24
2
dovecot 1.2rc5 fails to authenticate user via GSSAPI
Hi,
we're facing problem where dovecot 1.2rc5 is not able to authenticate user via
gssapi. (I'm forwarding information from red hat's bugzilla)
Steps to reproduce:
1. Install dovecot with kerberos support, create mailboxes for the client
2. Get initial credentials on client side
3. Attempt to log in via dovecot using gssapi
-> login failed
Client side
1. Email client displays:
2008 May 18
1
Domain variable in checkpassword
Hello everyone
I'm using the checkpassword method but I don't get the domain a user inputs.
I can't cross check per virtual domains if I'm not getting one, which means
it renders all my efforts useless.
I've tried sending %d as a variable to my checkpassword script, but I'm just
getting %d instead.
This is a dump of my information:
%ENV = {
2009 Apr 02
17
[Bug 1583] New: User principal name in AIX
https://bugzilla.mindrot.org/show_bug.cgi?id=1583
Summary: User principal name in AIX
Product: Portable OpenSSH
Version: 5.2p1
Platform: PPC
OS/Version: AIX
Status: NEW
Severity: normal
Priority: P2
Component: Kerberos support
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy:
2005 Dec 30
1
Compile problem on FreeBSD 6.0-STABLE
Trying to update to dovecot-1.0.alpha5 and seeing this at compile time:
mech-gssapi.o mech-gssapi.c; then mv -f ".deps/mech-gssapi.Tpo"
".deps/mech-gssapi.Po"; else rm -f ".deps/mech-gssapi.Tpo"; exit 1; fi
mech-gssapi.c:30:27: gssapi/gssapi.h: No such file or directory
mech-gssapi.c:42: error: syntax error before "gss_ctx_id_t"
mech-gssapi.c:51: error:
2002 Jan 24
1
PATCH: krb4/krb5/... names/patterns in auth_keys entries
This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and
other principal names in authorized_keys entries.
It's a sort of replacement for .klogin and .k5login, but it's much more
general than .k*login as it applies to any authentication mechanism
where a name is associated with the ssh client and it supports name
patterns and all the normal authorized_keys entry options
2006 Jul 07
0
Bug#377276: "Did not receive identification string" warning reappeared
Package: logcheck-database
Version: 1.2.45
Severity: normal
Tags: patch pending confirmed
My bad, sorry.
--- rulefiles/linux/ignore.d.server/ssh 6 Jul 2006 10:16:41 -0000 1.18
+++ rulefiles/linux/ignore.d.server/ssh 7 Jul 2006 19:35:19 -0000
@@ -10,7 +10,7 @@
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: refused connect from [:[:alnum:].]+ \([:[:alnum:].]+\)$
^\w{3} [ :0-9]{11}
2003 Apr 22
2
Kerberos password change patch
Attached is a patch that allows for an interactive Kerberos password
change via keyboard-interactive, and also reports any banners received
from krb5_g_i_c_p() (e.g., password expiration notification if you have
krb5-1.2.x patched appropriately).
This could probably be refactored a bit and probably done better, but
I'm sending this in in case anyone finds it useful.
The major drawback is
2018 Dec 12
1
GSSAPI/Kerberos authenticate with Dovecot
Ah, i think whats going on here.
The wiki example and your are using different setup.
The wiki uses a separate account, and not the computer account like you.
Based on that wiki.
- install server + samba. ( already dont )
- join the domain. ( also done )
Good you said you have share access..
ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf << not needed.
Just use the
2014 Jan 30
0
Announce: OpenSSH 6.5 released
Changes since OpenSSH 6.4
=========================
This is a feature-focused release.
New features:
* ssh(1), sshd(8): Add support for key exchange using elliptic-curve
Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
method is the default when both the client and server support it.
* ssh(1), sshd(8): Add support for Ed25519 as a public key type.
Ed25519 is a
2006 Feb 27
2
Bug in Kerberos support for openssh.
It took me a while to track this down. I am using MIT Kerberos 1.4.3
and libgssapi-0.7. With some patches that came with Suse 10, but that
doesn't appear to be relevant. I have been using openssh-4.2p1 (with
Simon's patches) and openssh-4p3p2 out of the box. I see the same
problem no matter which version of openssh I am using. I am using two
Suse Linux x86 boxes as a test