Any workaround for [domain_realm] section
|
View:
New views
13 Messages
—
Rating Filter:
Alert me
|
 |
Any workaround for [domain_realm] section
by Abhishek Chowdhury
::
Rate this Message:
I am using kerberos v5 version
Following is the domain realm section of my kerberos configuration file [domain_realm] abhi.com = AS.ABHI.COM .abhi.com = AS.ABHI.COM abhi-amit.abhi.com = AMIT.ABHI.COM as.abhi.com = AMIT.ABHI.COM Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If I go through the method above then I have to enter the 400 entries separately for the services in AMIT.ABHI.COM. Also I cannot write abhi.com = AMIT.ABHI.COM or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM. So is there any workaround for this problem. Changing of DNS name is also not possible. Any pointers in this regard will be very helpful. |
|
|
Re: Any workaround for [domain_realm] section
by Javier Palacios-2
::
Rate this Message:
On Tue, Jul 29, 2008 at 9:49 AM, Abhishek Chowdhury
<abhishek.brave@...> wrote: > > I am using kerberos v5 version > Following is the domain realm section of my kerberos configuration file > > [domain_realm] > abhi.com = AS.ABHI.COM > .abhi.com = AS.ABHI.COM > > abhi-amit.abhi.com = AMIT.ABHI.COM > as.abhi.com = AMIT.ABHI.COM > > Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If I go > through the method above then I have to enter the 400 entries separately for > the services in AMIT.ABHI.COM. Also I cannot write abhi.com = AMIT.ABHI.COM > or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM. > > So is there any workaround for this problem. > Changing of DNS name is also not possible. > Any pointers in this regard will be very helpful. Not completelly sure, but I believe that the TXT records allow you to do that Javier Palacios ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: Any workaround for [domain_realm] section
by Ken Raeburn
::
Rate this Message:
On Jul 29, 2008, at 08:49, Abhishek Chowdhury wrote:
> Now in the realm AMIT.ABHI.COM I have around 400 entries(servics).If > I go > through the method above then I have to enter the 400 entries > separately for > the services in AMIT.ABHI.COM. Also I cannot write abhi.com = > AMIT.ABHI.COM > or .abhi.com=AMIT.ABHI.COM because it is already used for AS.ABHI.COM. > > So is there any workaround for this problem. > Changing of DNS name is also not possible. > Any pointers in this regard will be very helpful. If you can add TXT records for the hosts in AMIT, you could enable the use of these TXT records on all the clients; it's a theoretical security weakness, though, which is why it's off by default. The admin or install guides should mention how to set these up, I think. (Sorry, only have a few minutes right now.) You could also set up some site-wide scheme for distributing updates to the domain_realm section, but that's kind of ugly. If you set KRB5_CONFIG to a colon-separated list of files, the krb5 library code will read all of them in. If you have some site-wide shared file system, you could put a file there with the domain_realm entries for your site, but obviously there are potential security and performance issues there. Eventually we want to have a way for the KDC to supply this information, but while we've got a spec in the works, we don't have an implementation yet. Ken ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: Any workaround for [domain_realm] section
by Abhishek Chowdhury
::
Rate this Message:
From where I can get steps to implement the TXT records method if I want to do it.
|
|
|
user name in ticket
by yabadi
::
Rate this Message:
Hi All I have AD environment with IE and apache web server. The web server configure (web server have AD user with keytab) to required IE clients to be authenticate. The client sends to the web server krb ticket. This ticket includes the client name. According to RFC4120 section 5.3 it should have. My question is: what is the source of the name? It is taken from the TGT, when the user logged on to AD? Or it taken from the user name in request from AD for this specific ticket (The client sends it name in clear with the request)? Regards Yuval Abadi ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
spnego
by yabadi
::
Rate this Message:
Hi All
I have web server that required authentication. It does so by returning 401 www-authenticate: negotiate. IE (FF too) sends Kerberos ticket to authenticate. When client (or client machine) is not from domain, IE popup for credential and create NTLMSSP blob. Is any way to continue the negotiation with the IE before it pops up the NTLM credential to user? May be by sending spengo option? Best Regards Yuval Abadi ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: spnego
by Michael B Allen
::
Rate this Message:
On Sun, Aug 17, 2008 at 3:35 AM, yuval <yabadi@...> wrote:
> Hi All > > I have web server that required authentication. > It does so by returning 401 www-authenticate: negotiate. > IE (FF too) sends Kerberos ticket to authenticate. > > When client (or client machine) is not from domain, IE popup for credential > and create NTLMSSP blob. > > Is any way to continue the negotiation with the IE before it pops up the > NTLM credential to user? May be by sending spengo option? See "Issue 3" in the Plexcel Operators Manual on the Support page of the website in my signature. It outlines all of the reasons for browsers not doing Kerberos (obviously if you are not using Plexcel you will need to ignore any product specific references but getting browsers to do Kerberos is pretty much the same regardless of what you are using on the server side). Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
|
|
|
Re: spnego
by Simo Sorce
::
Rate this Message:
On Wed, 2008-08-20 at 19:32 +0300, Tuomas wrote:
> I have been struggling with the same problem (with apache & > mod_auth_kerb). For me it seems that there really isn't a foolproof > way > to completely avoid getting NTLMSSP blobs from clients. > > I wonder is there a way to perform the login using NTLMSSP data? You can try with mod-auth-ntlm-winbind: http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/mod_auth_ntlm_winbind/?root=lorikeet -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
|
|
|
Re: spnego
by Michael B Allen
::
Rate this Message:
On Thu, Sep 11, 2008 at 12:30 PM, Tuomas
<tuomaksen.spammiposti@...> wrote: > I also found out using wireshark what Internet Explorer does when it > fails to authenticate using Kerberos. It asks a ticket from the Active > Directory server for HTTP/virtualhost.domain.com instead of > HTTP/realname.domain.com. For me this seems like a bug in IE7, has > anyone found solutions for this? That's not a bug. You will need to add SPNs to the desired account (using setspn) for each virtual hostname. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
|
|
|
Re: spnego
by Michael B Allen
::
Rate this Message:
On Tue, Sep 16, 2008 at 4:15 PM, Tuomas <tuomaksen.spammiposti@...> wrote:
> Michael B Allen wrote: >> On Thu, Sep 11, 2008 at 12:30 PM, Tuomas >> <tuomaksen.spammiposti@...> wrote: >>> I also found out using wireshark what Internet Explorer does when it >>> fails to authenticate using Kerberos. It asks a ticket from the Active >>> Directory server for HTTP/virtualhost.domain.com instead of >>> HTTP/realname.domain.com. For me this seems like a bug in IE7, has >>> anyone found solutions for this? >> >> That's not a bug. You will need to add SPNs to the desired account >> (using setspn) for each virtual hostname. > > I see, just can't understand why this is happening occasionally. At > least it makes things harder. > > Anyway, I set up "setspn -a HTTP/virtualhost.domain.com", things still > didn't work as they should. Now i apache's error.log I get: > gss_accept_sec_context() failed: Unspecified GSS failure. Minor code > may provide more information (Key table entry not found) > > I understand that I should have also virtualhost.domain.com defined in > my keytab, just don't have any idea how to do that. Actually I think I might know why you're getting an error (I don't know a lot about mod_auth_kerb - I know a lot more about what is possible protocol-wise as opposed to what mod_auth_kerb can do). A keytab file can have multiple principals (SPNs in this case). For example, our Plexcel product automatically generates a keytab with all of the SPNs set on the HTTP service account. But now that I think about it, because mod_auth_kerb relies on ktpass.exe to generate the keytab file, and because ktpass can only generate the said keytab file with one principal, it has to be that one SPN you want to use. Meaning I suspect you have to run ktpass to generate a keytab file *with the specific SPN* you want to use. You might want to bring your problem to the mod_auth_kerb mailing list. They would certainly know better than I how to set this up. I'm happy to give you my best guess here but again, I'm not terribly familiar with mod_auth_kerb's nuances. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
| Free embeddable forum powered by Nabble | Forum Help |
