similar to: GSSAPI Cross-Realm Patch

I've updated my krb5 cross-realm auth patch for dovecot 1.1-rc4; there are not any (intentional) changes in functionality from the last patch, the diff just didn't apply cleanly anymore. As before the most recent version of the patch is available at: http://zinux.cynicbytrade.com/svn/servers/dovecot/cross-realm.diff.bz2 I see the cross-realm patch for Solaris made it into the

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a

I've been trying to track down some problems with Dovecot in a Kerberos 5 cross-realm environment, and there seem to be a few issues. LOGIN/PLAIN work fine using pam_krb5, but GSSAPI is a bit harder to handle. On line 436 of src/auth/mech-gssapi.c, the authn_name and the authz_name are compared using gss_compare_name. This dates back to the message at:

Hi, I'm running OpenSSH 3.8 & 3.9, compiled against Heimdal 0.6.3 for it's GSSAPI & AFS integration. A couple weeks ago, we upgraded our MIT KDC from (ugh) Kerberos 5 1.0.6 to the lastest and greatest 1.3.5. However, it seems that as part of the upgrade, our GSSAPI credentials passing in OpenSSH stopped working. Actually, didn't completely stop... You can still do a

... Setting up a Samba PDC with the following: FreeBSD 5.3 Samba 3.0.x OpenLDAP 2.2.x Kerberos (Heimdal) Would like LDAP to take care of both posixAccount(s) and sambaSamAccount(s). Posix account via nsswitch+pam_ldap. Hope to find one complete documentation that describes this setup from scratch, start to finish. A Ports style install of all packages is fine but I can download, compile and

I'm new to this list, and I apologize if this is an already answered question, but my Google-fu was not strong enough to find the answer if it was. I'm having a problem with DTMF on incoming IAX calls. For the first few seconds of the call (between maybe 1 and 15, it varies from call to call) everything works fine. After that I continue get DTMF_E messages from the remote IAX server

I saw some past chatter on this in the list archives, but here is another stab and another rational. This patch follows a similar patch to openssh in that it allows any key in the specified keytab to match the incoming host key. This is necessary for multihomed hosts. See: https://bugzilla.mindrot.org/show_bug.cgi?id=928 IMAP/POP seem to be a strong candidate to be multihomed because they are

I'm trying to understand what is definitive about samba 4.x as an AD DC. First, does samba need to have heimdal or mit kerb installed? Following the how to at https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO I don't see that it does. After getting samba to work in its plain defaults, I then proceeded to configure it to use bind9 as shown in the bind howto -

I store my file_column database outside of my RAILS_ROOT. It seems to work in real life, but not in tests. In the tests, I can''t set both the root_path and the store_dir. In tests, setting the store_dir option will override the root_path option. The only way for root_path to work is to remove store_dir. I think the problem is in file_column.rb on line 22: options[:store_dir]

steve wrote: > > My only remaining question is that to open port 22 on the file server, > I've had to open all the other ports otherwise I could not kinit or > anything else. Could you/is there a list of ports which need to be > open for a S3 fileserver which is also a nfs server to be able to > communicate to the rest of the LAN without all ports being opened? > >

Hi Rowland, Thanks for your explanation. We have set up Samba to authenticate users against an external MIT Kerberos server and usernames match those in Unix password files. The setup was almost exactly like the Ubuntu help page: https://help.ubuntu.com/community/Samba/Kerberos#MIT_Kerberos There are others who have also set up Samba this way:

I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) Modern versions of MIT kerberos support GSS-SPNEGO natively, but are only willing to negotiate for kerberos tickets and not NTLM

Folks, I seem to have a problem when I upgraded our kerberos from 1.3.1 to 1.4.1 (MIT krb 5), all of a sudden I can't ssh as another user. i.e. ssh host works but ssh joe at host doesn't work. Same with scp's. I've tried recompiling ssh (even though the so-name of kerb libs didn't change), but it didn't work, and still no go... I'm using openssh 3.9p1 on Solaris

On Tue, 2019-10-22 at 22:26 -0700, Jeremy Allison via samba wrote: > On Mon, Oct 21, 2019 at 10:07:20AM +0200, Prunk Dump via samba wrote: > > I don't know if winbind "officially" support suspending. Currently > > I > > have written a systemd hook that kill winbind before suspend and > > restarting it after. > > It hasn't been tested in that mode

Hello, I have a compile problem concerning samba-3.0.0 (final) with gssapi on a Solaris 9 machine. I don't know how to fix this, so any suggestions are welcome. Situation: We use LDAP to authenticate logins of a group of users, so I want to use this LDAP directory also from samba. (Openldap-2.1.22 was compiled with BerkeleyDB.4.1, heimdal-0.6 kerberos, and cyrus-sasl-2.1.13). After a

Hello all, I am trying to understand how SAMBA finds nearest Domain Controller when configured to use Active Directory for AuthN. There are some great articles and wikis about how to configure SAMBA against AD, but couldn't find much on what I was looking for. For example 1. Does Samba have built in dc locator functionality like windows clients ? 2. What is the default authN it uses, NTLM

I've had some trouble compiling GSSAPI on SuSE Enterprise 9 using Heimdal. It turns out that this installation has /usr/include/heimdal/gssapi.h rather than gssapi/gssapi.h. krb5-config correctly sets -I/usr/include/heimdal in the CFLAGS. Looking back, there was a similar issue a few months ago:- http://www.dovecot.org/list/dovecot/2006-July/014945.html I'm a complete newbie to

On Wed, Nov 21, 2001 at 01:41:42PM -0500, John Hawkinson wrote: > auth-krb5.c > auth1.c > compat.c > comapt.h > servconf.c > session.c > session.h > sshconnect1.c > sshd_config why do you need to touch these files? for MIT K5? or for adding back the told ticket passing behaviour? i have no string opinion about whether the AFS/Kerb tickets should be passed

Is something special required for KerbV auth to work? I've enabled: KerberosAuthentication yes on some test boxes and it doesn't work. I do a kinit, and then ssh and it asks for a password. If you don't provide one, you don't get in.

I've setup samba to use ldap. I've propogated the directory. I've setup the kerberos realm. I can authen to samba & browse shares via uid/passw held in ldap. I cannot seem to get samba to accept kerb authen instead of uid/passw. Help...... Thanks. Read the #$@^(!*&$!* manual, and about 200 webpages. Scanning news groups, recompiling..... Grrrrr!