similar to: pam session=yes with gssapi authentication

After update I have got this: samba-tool drs kcc -Uadm2 -d 9 INFO: Current debug levels: all: 9 tdb: 9 printdrivers: 9 lanman: 9 smb: 9 rpc_parse: 9 rpc_srv: 9 rpc_cli: 9 passdb: 9 sam: 9 auth: 9 winbind: 9 vfs: 9 idmap: 9 quota: 9 acls: 9 locking: 9 msdfs: 9 dmapi: 9 registry: 9 scavenger: 9 dns: 9 ldb: 9 tevent: 9 auth_audit: 9

Hi. Is it possible to use GSSAPI authentication and deny passdb together? Seems it doesn't work as I expect: GSSAPI doesn't check deny passdb, so I'm not able to restrict access to GSSAPI-users. I can see these in logs when user tries to connect with PLAIN authentication (via pam_krb5): Oct 4 11:14:31 vm03 auth: Debug: passwd-file(testuser,172.17.0.123): lookup: user=testuser

Hi all, We have 2 mail servers sitting behind linux-HA machines.The mail servers are currently running dovecot 1.0rc2. Looking to enable GSSAPI authentication, I exported krb keytabs for imap/node01.domain at REALM and imap/node02.domain at REALM for both mail servers. However, clients are connecting to mail.domain.com, which results in a mismatch as far as the keytab is concerned (and rightly

Hi Aleksey, did you find any solution for this? I just updated from 4.8.2 to 4.8.3 and had very similar effects: Login was no longer possible with 4.8.3 - log file was full of "ldb: Failed to unlock db" messages. I had to downgrade to 4.8.2 in order to make samba work again. Bye, Marcel June 28, 2018 10:28 AM, "Aleksey Vladimirov via samba" <samba at

Hi All, >From Changelog with 3.8: "The experimental "gssapi" support has been replaced with the "gssapi-with-mic" to fix possible MITM attacks.The two versions are not compatible." I am using OpenSSH-3.6 with Simon's patch and OpenSSH-3.7 built with GSSAPI support. The latest version OpenSSH-3.8 is not working with 3.6 or 3.7 with GSSAPI authentication. I

An updated version of my patch for Kerberos v5 support is now available from http://www.sxw.org.uk/computing/patches/openssh-2.5.2p1-krb5.patch This patch includes updated Kerberos v5 support for protocol version 1, and also adds GSSAPI support for protocol version 2. Unlike the Kerberos v5 code (which will still not interoperate with ssh.com clients and servers), the GSSAPI support is based on

Upgrading to the 3.8.x versions of OpenSSH appears to have broken support for Win2K KDC's. Win2K supports gssapi just fine, but the new gssapi-with-mic does not appear to work. I was able to use the old 3.6.x versions with Kerberos authentication, and the newer 3.7.x versions with gssapi authentication, but 3.8.x does not seem to work at all. The mitm patch provided for 3.8p1 does work, but

Trying to compile 1.1rc8 from scratch on FreeBSD 6.3 as well as from the dovecot-devel port and I get an error when trying to include gssapi. gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src/lib -I../../src/lib-sql -I../../src/lib-settings -I../../src/lib-ntlm -I../../src/lib-otp -DAUTH_MODULE_DIR=\""/usr/local/lib/dovecot/auth"\"

In the release notes for v1.2.2, Timo said: > Found and fixes several v1.2-specific bugs. Hopefully it's now stable > for most people's usage. > > * GSSAPI: More changes to authentication. Hopefully good now. > What were the GSSAPI changes? I am having problems with _some_ of my users using GSSAPI auth. I am using version 1.2.1. The client (thunderbird) reports that the

In pop3-login/client-authenticate.c, when sasl_server_auth_begin() is called, it does so with the service name of "POP3". GSSAPI uses this service name when obtaining its service credentials. The problem is that according to http://www.iana.org/assignments/gssapi-service-names , the service name should instead be simply "pop". This causes GSSAPI authentication to fail when

i've compiled openssh with the gssapi patches on a solaris 8 system using sun's SEAM. gssapi isn't initializing properly it seems. debug2: input_userauth_request: try method gssapi debug1: Mechanism negotiation is not supported Failed gssapi for xxxx from xxxx port 33555 ssh2 sun's kerberized tools are working fine. any help would be appreciated. -- http://chemlab.org -

I'm trying to get gssapi-with-mic to work but the enabled field in the method struct is disabled I.e. The gssapi-with-mic enable field s not enabled in in the *method struct; it fails at: if (authmethod_is_enabled(method)) in the authmethod_is_enabled(method) function call using ddd , OpenSSH 5.2.p1, Linux 2.6.22.5-31 (SuSE 10.2) Questiion - what enables gssapi-with-mic? Thanks tedc

Hey all, perhaps someone might be able to shed a little light on this problem. Nothing I find in books and groups seem to address the problem. I'm trying to set up a series of connections with ssh that authenticate through GSSAPI. However, it seems that the credentials are not getting passed. >From the client.. debug1: Next authentication method: gssapi-with-mic debug2: we sent a

Hi list! I'm wondering, what is the current status of GSSAPI (krb5) support in Dovecot? I know from googling that there used to be a patch for it around a year ago, but I haven't seen a trace of that patch ever since, and GSSAPI doesn't even seem to be mentioned in the Dovecot source tree (at least not according to "grep -irl"). Is GSSAPI planned at all, as it stands? If

Hi, I am doing some kerberos testing with samba4 using ssh. I have setup samba4 using the howto at http://wiki.samba.org/index.php/Samba4/HOWTO and active directory seems to be working both with Windows and Linux clients. ssh unfortunately is not kerberos authenticating via GSSAPI. The client krb5.conf contains this: ===================================================== [libdefaults]

I am trying to transition several HP/UX 11i (PA/RISC) servers from ssh.com over to OpenSSH+GSSAPI (3.9p1) and it's complaining about the GSSAPI include files: -=- gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -I/usr/local/krb5/include -DSSHDIR=\"/usr/local/etc\"

I am migrating an existing dovecot server to a new server. The existing server uses pam_krb5 and works with the plain and gssapi methods. The new server plain/pam_krb5 normal password authentication works. However, the gssapi (tickets) authentication is producing the following error: === Begin Error ==== imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=192.168.7.61,

Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase

I think I had better update akk the kerberos and gssapi to the latest? Please advise. Thanks Tedc ssh -vvv admin at geronimo.creedon.biz <<<<<<<<snip>>>>>>>>> debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/identity ((nil)) debug2: key: /root/.ssh/id_rsa (0x568da0) debug2: key:

This morning I upgraded a dovecot installation from 1.1.16 to 1.2.4 on a FreeBSD 7.2 server, and then spent 3 hours trying to figure out why GSSAPI authentication had broken. It turned out to be a recent change in Dovecot's mech-gssapi.c to do with checking for NULs in usernames: everything worked fine when I disabled that test. <http://hg.dovecot.org/dovecot-1.2/rev/5d53b1d66d1b> This