similar to: GSSAPI cross-realm still broken

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a

Hello, I'm trying to authenticate using GSSAPI, but getting this in dovecot.log "authn_name and authz_name differ: not supported". What is actually trying to say me? I've remeber once encounter this problem but it get away silently. I'm using Mozilla Thunderbird 3 beta 3 and Dovecot 1.0.15

https://bugzilla.mindrot.org/show_bug.cgi?id=2032 Priority: P5 Bug ID: 2032 Assignee: unassigned-bugs at mindrot.org Summary: Local user name in krb5_kuserok call Severity: normal Classification: Unclassified OS: AIX Reporter: miguel.sanders at uniforce.be Hardware: PPC Status: NEW

Hi All. I have a problem with authorization users AD via kerberos in Dovecot&Postfix. Windows SRV 2008 Standart - AD mail server: Gentoo + cyrus-sasl + postfix + dovecot with support ldap&kerberos. I am created a 4 keytabs on Windows box. C:\Users\Admin>ktpass -princ host/srv-mail.cn.energy at CN.ENERGY -mapuser ldapmail at CN.ENERGY -pass "superpasswd" -crypto RC4-HMAC-NT

I've written a GSSAPI cross-realm auth patch for people not lucky enough to have the __gss_userok function, though it should apply pretty cleanly with that patch in place as well. The patch is available at: http://zinux.cynicbytrade.com/svn/servers/dovecot/cross-realm.diff.bz2 It works for me on MIT-kerb, and I tested compilation against heimdal, but I don't have a cross-realm setup

Hi I'm currently observing a rather bizarre situation when using password based Kerberos authentication in OpenSSH on AIX. Even though AIX can authenticate a user via Kerberos (using the KRB5A load module), OpenSSH cannot Kerberos authenticate this user. This is caused by the fact that the user has two attributes which OpenSSH doesn't take into account when forming the principal name of

This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a FreeBSD 7.2 server, and then spent 3 hours trying to figure out why GSSAPI authentication had broken. It turned out to be a recent change in Dovecot's mech-gssapi.c to do with checking for NULs in usernames: everything worked fine when I disabled that test. <http://hg.dovecot.org/dovecot-1.2/rev/5d53b1d66d1b> This

I am running dovecot 2.1.7 on Debian Squeeze 64 bit, config information at the end of the email. I am working on a Kerberos/GSSAPI based setup that requires cross-realm authentication. I have regular GSSAPI working, I can log in using pam_krb5 with password based logins or with the GSSAPI support when using a kerberos ticket in the default realm. However when I attempt to authenticate using

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Attached is a patch against current CVS that adds support for the GSSAPI SASL mechanism. It was written from scratch, after reading the patch from Colin Walters against a much older version of dovecot. Other then support for the 'GSSAPI' mechanism, it contains the following changes: - - Added 'auth_krb5_keytab' option for

Greetings, I'm working on the infrastructure of a medium size client/server environment using an Active Directory running on Windows Server 2003 for central authentication of users on linux clients. Additionally OpenAFS is running using Kerberos authentication through Active Directory as well. Now I want to grant users remote access to their AFS data by logging in into a central OpenSSH

Hi, we're facing problem where dovecot 1.2rc5 is not able to authenticate user via gssapi. (I'm forwarding information from red hat's bugzilla) Steps to reproduce: 1. Install dovecot with kerberos support, create mailboxes for the client 2. Get initial credentials on client side 3. Attempt to log in via dovecot using gssapi -> login failed Client side 1. Email client displays:

Hello everyone I'm using the checkpassword method but I don't get the domain a user inputs. I can't cross check per virtual domains if I'm not getting one, which means it renders all my efforts useless. I've tried sending %d as a variable to my checkpassword script, but I'm just getting %d instead. This is a dump of my information: %ENV = {

https://bugzilla.mindrot.org/show_bug.cgi?id=1583 Summary: User principal name in AIX Product: Portable OpenSSH Version: 5.2p1 Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: Kerberos support AssignedTo: unassigned-bugs at mindrot.org ReportedBy:

Trying to update to dovecot-1.0.alpha5 and seeing this at compile time: mech-gssapi.o mech-gssapi.c; then mv -f ".deps/mech-gssapi.Tpo" ".deps/mech-gssapi.Po"; else rm -f ".deps/mech-gssapi.Tpo"; exit 1; fi mech-gssapi.c:30:27: gssapi/gssapi.h: No such file or directory mech-gssapi.c:42: error: syntax error before "gss_ctx_id_t" mech-gssapi.c:51: error:

This patch (to OpenSSH 3.0.2p1) adds support for using krb4, krb5 and other principal names in authorized_keys entries. It's a sort of replacement for .klogin and .k5login, but it's much more general than .k*login as it applies to any authentication mechanism where a name is associated with the ssh client and it supports name patterns and all the normal authorized_keys entry options

Package: logcheck-database Version: 1.2.45 Severity: normal Tags: patch pending confirmed My bad, sorry. --- rulefiles/linux/ignore.d.server/ssh 6 Jul 2006 10:16:41 -0000 1.18 +++ rulefiles/linux/ignore.d.server/ssh 7 Jul 2006 19:35:19 -0000 @@ -10,7 +10,7 @@ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sshd\[[0-9]+\]: refused connect from [:[:alnum:].]+ \([:[:alnum:].]+\)$ ^\w{3} [ :0-9]{11}

Attached is a patch that allows for an interactive Kerberos password change via keyboard-interactive, and also reports any banners received from krb5_g_i_c_p() (e.g., password expiration notification if you have krb5-1.2.x patched appropriately). This could probably be refactored a bit and probably done better, but I'm sending this in in case anyone finds it useful. The major drawback is

Ah, i think whats going on here. The wiki example and your are using different setup. The wiki uses a separate account, and not the computer account like you. Based on that wiki. - install server + samba. ( already dont ) - join the domain. ( also done ) Good you said you have share access.. ln -sf /usr/local/samba/private/krb5.conf /etc/krb5.conf << not needed. Just use the

Changes since OpenSSH 6.4 ========================= This is a feature-focused release. New features: * ssh(1), sshd(8): Add support for key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange method is the default when both the client and server support it. * ssh(1), sshd(8): Add support for Ed25519 as a public key type. Ed25519 is a

It took me a while to track this down. I am using MIT Kerberos 1.4.3 and libgssapi-0.7. With some patches that came with Suse 10, but that doesn't appear to be relevant. I have been using openssh-4.2p1 (with Simon's patches) and openssh-4p3p2 out of the box. I see the same problem no matter which version of openssh I am using. I am using two Suse Linux x86 boxes as a test