Search Results

Search found 392 results on 16 pages for 'kerberos keytab'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 2/16 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • Setting up Kerberos SSO in Windows 2008 network

    - by Arturs Licis
    We recently introduced Kerberos (SPNEGO) Single Sign-on in our web-portal, and tested it on a Windows network with Windows 2003 domain controller. Now, trying to test it on Windows 2008 R2 controlled network, SSO just doesn't work due to defective tokens. Up to the moment I was pretty sure that there's something wrong about environment and that were NTLM tokens. We double checked IE settings etc, but nothing helped. Then we checked the following settings for both users (logged on a client test-machine, and the one used as a Service Principal): This account supports Kerberos AES 128 bit encryption. This account supports Kerberos AES 256 bit encryption. .. and error message changed to ' GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled) It makes me think that Internet Explorer receives Kerberos tokens at all times, and there's just some configuration missing, or it was ktpass.exe to be incorrectly executed. Here's how ktpass.exe was invoked: C:ktpass /out portal1.keytab /mapuser USER /princ HTTP/[email protected] /pass *

    Read the article

  • pGina with automatic Kerberos ticket and OpenAFS token/ticket

    - by rolands
    I am currently updating our educational Windows lab images from XP to 7, In doing so we are also migrating from Comtarsia to pGina. Unfortunately somewhere in the transition our automation that fetched kerberos and OpenAFS tickets/tokens on login has completely stopped functioning. Basically what used to happen was, using kfw-3.2.2 and the old OpenAFS release (loopback adapter days), either comtarsia would share password or something with the NIM (Network Identity Manager) which would authenticate against the kerberos server gaining a ticket and AFS token needed to access the users file, this was aided by the fact that our ldap database that windows authenticates against is also what kerberos uses to authenticate so usernames/passwords are the same across both services. I have set up all of the tools, albeit newer 64bit versions which seem to have given me less trouble than the previous releases of NIM/OpenAFS/Krb5, as well as setting their configurations back to what we used to use. Unfortunately this seems to be fubar'd in some way, instead all we get now is a OpenAFS token, most likely I assume from the AFScreds tool which operates some kind of integrated login process, although this does not help in getting a kerberos ticket or a afs ticket for which a login box is provided be NIM after the user logs in. Does anyone know IF it is possible to do what we are trying, and if so how? I was considering writing a pGina plugin which would interact with the server itself but this seems slightly like overkill considering that all these applications already exist...

    Read the article

  • Authenticating Windows 7 against MIT Kerberos 5

    - by tommed
    Hi There, I've been wracking my brains trying to get Windows 7 authenticating against a MIT Kerberos 5 Realm (which is running on an Arch Linux server). I've done the following on the server (aka dc1): Installed and configured a NTP time server Installed and configured DHCP and DNS (setup for the domain tnet.loc) Installed Kerberos from source Setup the database Configured the keytab Setup the ACL file with: *@TNET.LOC * Added a policy for my user and my machine: addpol users addpol admin addpol hosts ank -policy users [email protected] ank -policy admin tom/[email protected] ank -policy hosts host/wdesk3.tnet.loc -pw MYPASSWORDHERE I then did the following to the windows 7 client (aka wdesk3): Made sure the ip address was supplied by my DHCP server and dc1.tnet.loc pings ok Set the internet time server to my linux server (aka dc1.tnet.loc) Used ksetup to configure the realm: ksetup /SetRealm TNET.LOC ksetup /AddKdc dc1.tnet.loc ksetip /SetComputerPassword MYPASSWORDHERE ksetip /MapUser * * After some googl-ing I found that DES encryption was disabled by Windows 7 by default and I turned the policy on to support DES encryption over Kerberos Then I rebooted the windows client However after doing all that I still cannot login from my Windows client. :( Looking at the logs on the server; the request looks fine and everything works great, I think the issue is that the response from the KDC is not recognized by the Windows Client and a generic login error appears: "Login Failure: User name or password is invalid". The log file for the server looks like this (I tail'ed this so I know it's happening when the Windows machine attempts the login): Screen-shot: http://dl.dropbox.com/u/577250/email/login_attempt.png If I supply an invalid realm in the login window I get a completely different error message, so I don't think it's a connection problem from the client to the server? But I can't find any error logs on the Windows machine? (anyone know where these are?) If I try: runas /netonly /user:[email protected] cmd.exe everything works (although I don't get anything appear in the server logs, so I'm wondering if it's not touching the server for this??), but if I run: runas /user:[email protected] cmd.exe I get the same authentication error. Any Kerberos Gurus out there who can give me some ideas as to what to try next? pretty please?

    Read the article

  • Oracle with Kerberos authentication and Windows 2003 Server as KDC

    - by Supaplex
    I am running Oracle 10.2 on a Windows 2003 Server SP2 which is also the domain controller on the network. I wish to switch authentication method from NTS to Kerberos. I have spent a lot of time trying to configure Oracle with Kerberos authentication from the Oracle Advanced Security option from the Net Manager utility. I have disabled NTS so Kerberos is promoted as the preferred authentication method. But as soon as the configuration is saved from Net Manager and I restart the Oracle server service, Oracle will not start. I don't know what Oracle is complaining about, because I don't know where to look for the Oracle error log. My first question is: how can I figure out what's bugging Oracle? My second question: is there a good tutorial for setting up Oracle on a Windows 2003 with Kerberos Authentication, where the Windows 2003 Server is the KDC? Maybe there is a book I can get? I have read Oracles own guide, but it is mostly for Linux/Unix. Thanks a lot!

    Read the article

  • Why is squid breaking kerberos/NTLM auth?

    - by DonEstefan
    I'm using squid 2.6.22 (Centos 5 Default) as a proxy. Squid seems to break the authentication process for web pages when they require NTLM or Kerberos Auth. I tested with sharepoint 2007 and tried all 3 authentication methods (NTLM, Kerberos, Basic). Accessing the site without squid works in all cases. When I access the same page with squid, then only basic-auth works. Using IE or Firefox desn't make any difference. Squid itself can be used by anybody (no auth_param configured). Its a bit tricky to find solutions online, since most of the topics whirl around auth_param for authenticating users to squid rather than authenticating users to a webpage behind squid. Could anyone help? Edit: Sorry, but my first test was totally screwed up. I tested against the wrong webservers (Memo to myself: always check assumptions before testing). Now I realized that the problem scenario is completely different. Kerberos work for IE Kerberos works for Firefox (after changing "network.negotiate-auth.trusted-uris" in about:config) NTLM works for IE NTLM does NOT work in Firefox (even after changing "network.automatic-ntlm-auth.trusted-uris" in about:config) By the way: The feature that provides NTLM-passthrough in squid is called "connection pinning" and the HTTP header "Proxy-support: Session-based-authentication""

    Read the article

  • Oracle with Kerberos authentication and Windows 2003 Server as KDC

    - by Supaplex
    Hello everyone. I am running Oracle 10.2 on a Windows 2003 Server SP2 which is also the domain controller on the network. I wish to switch authentication method from NTS to Kerberos. I have spent a lot of time trying to configure Oracle with Kerberos authentication from the Oracle Advanced Security option from the Net Manager utility. I have disabled NTS so Kerberos is promoted as the preferred authentication method. But as soon as the configuration is saved from Net Manager and I restart the Oracle server service, Oracle will not start. I don't know what Oracle is complaining about, because I don't know where to look for the Oracle error log. My first question is: how can I figure out what's bugging Oracle? My second question: is there a good tutorial for setting up Oracle on a Windows 2003 with Kerberos Authentication, where the Windows 2003 Server is the KDC? Maybe there is a book I can get? I have read Oracles own guide, but it is mostly for Linux/Unix. Thanks a lot!

    Read the article

  • Kerberos issues after new server of same name joined to domain

    - by MentalBlock
    Environment: Windows Server 2012, 2 Domain Controllers, 1 domain. A server called Sharepoint1 was joined to the domain (running Sharepoint 2013 using NTLM). The fresh install for Sharepoint1 (OS and Sharepoint) is performed and set up for Kerberos and joined to the domain using the same name. Two SPNs added for HTTP/sharepoint1 and HTTP/sharepoint1.somedomain.net for account SPFarm. Active Directory shows a single, non-duplicate computer account with a create date of the first server and a modify date of the second server creation. A separate server also on the domain has the server added to All Servers in Server Manager. This server shows a local error in the events exactly like This from Technet (Kerberos error 4 - KRB_AP_ERR_MODIFIED). Question: Can someone help me understand if the problem is: The computer account is still the old account and causing a Kerberos ticket mismatch (granted some housekeeping in AD might have prevented this) (In my limited understanding of Kerberos and SPNs) that the SPFarm account used for the SPNs is somehow mismatched with HTTP calls made by the remote server management tools services in Windows Server 2012 Something completely different? I am leaning towards the first one, since I tested the same SPNs on another server and it didn't seem to cause the same issue. If this is the case, can it be easily and safely repaired? Is there a proper way to either reset the account or better yet, delete and re-add the account? Although it sounds simple enough with some powershell or clicking around in AD Users and Computers, I am uncertain what impact this might have on an existing server, particularly one running SharePoint. What is the safest and simplest way to proceed? Thanks!

    Read the article

  • Kerberos SSO browser integration?

    - by MrZombie
    I'm installing a bunch of web apps for the office, and one of the wants would be Kerberos-managed SSO. Now, I have found some information on the matter, and I wondered, what browsers integrate Kerberos SSO? Of course I could just use the underlying web app to authenticate in case of lack of Kerberos capability, which is exactly the plan, but I'd like to know which browsers would work for that, so I can plan ahead and decide if it's even worth it to do that, which I believe it would considering that one of the web apps I'm implementing will be an ERP.

    Read the article

  • Setting up kerberos for SQL Server 2008 R2 not taking effect

    - by dotnetdev
    I am trying to configure Kerberos for my SQL Server (the database engine domain account). I have executed the following command: SETSPN -A MSSQLSvc/MyDBServer:1433 MyDomain\SQLServerService Replacing MyDBServer with the FQDN of the server and replacing MyDomain\SQLServerService with the name of my account. I then ran the query: SELECT s.session_id , c.connect_time , s.login_time , s.login_name , c.protocol_type , c.auth_scheme , s.HOST_NAME , s.program_name FROM sys.dm_exec_sessions s JOIN sys.dm_exec_connections c ON s.session_id = c.session_id This returns NTLM. So it's not Kerberos. What am I mising? The delegation tab is available for the account, so the spn bit worked perfectly fine. Is it not required to set some settings in the delegation tab? I've seen this in the case of setting kerberos for Sharepoint 2010 (which I intend to setup). Thanks

    Read the article

  • Get Kerberos ticket with SSH

    - by Joel
    I'd like to get a Kerberos 5 ticket when ssh-ing to get to a fully-automated login solution. Typically, you use kinit first and then ssh: > kinit user@DOMAIN user@DOMAIN's Password: (enter password) > ssh user@host (successful login) I'd like to simply run ssh user@host and automatically check for a Kerberos ticket. If one isn't there, I'd like it to get a ticket and then log in. > kdestroy > ssh user@host user@DOMAIN's Password: (enter password) (successful login) (log off of host) > klist (show ticket info) I'd like this to be configured on a per-host basis, as not every host I log into supports Kerberos.

    Read the article

  • Is there a Kerberos testing tool?

    - by ixe013
    I often use openssl s_client to test and debug SSL connections (to LDAPS or HTTPS services). It allows me to isolate the problem down to SSL, without anything getting in the way. I know about klist that allows me to purge the ticket cache. Is there tool that would allow me to ask a Kerberos ticket for a given server, not event sending it ? Just enough to see the whole Kerberos exchange in Wireshark for example ?

    Read the article

  • Cannot delete files on samba share when authenticated using kerberos

    - by ondra
    I have a samba server that authenticates users using LDAP, however it does have kerberos enabled as well. Unfortunately users authenticated using kerberos cannot delete files. I can test this using smbclient - if I use the '-k' switch, I cannot delete the files, if I don't, I can. The users does have read/write/execute access to the directory from where he is trying to delete the file. Any idea what might be wrong?

    Read the article

  • How does Kerberos work with SSH?

    - by Phil
    Suppose I have four computers, Laptop, Server1, Server2, Kerberos server: I log in using PuTTY or SSH from L to S1, giving my username / password From S1 I then SSH to S2. No password is needed as Kerberos authenticates me Describe all the important SSH and KRB5 protocol exchanges: "L sends username to S1", "K sends ... to S1" etc. (This question is intended to be community-edited; please improve it for the non-expert reader.)

    Read the article

  • Adding new SPNs to existing service ids

    - by jmh
    We have a tomcat server using spring-security kerberos to authenticate users to the webpage against active directory. There are around 25 domain controllers. The site has two CNAME based DNS aliases. The site currently has one Service ID with SPNs registered for the DNS A record as well as each of the CNAMEs. While everything is working right now, I don't know how to reliably change this configuration without possible downtime. The reason is that clients cache kerberos tickets: http://www.juniper.net/techpubs/en_US/uac4.2/topics/concept/user-role-active-directory-about.html The 'kerbtray.exe' program is helpful for viewing and deleting Kerberos tickets on the endpoint. Old tickets must be purged from the endpoint if SPNs are updated or passwords are changed (assuming the endpoint still has a cached copy of the ticket from a prior SPNEGO request to the MAG Series device. During testing, you should purge tickets before each authentication request. Description of "klist" program used to inspect/delete cached tickets: http://technet.microsoft.com/en-us/library/hh134826.aspx So if each of the clients (users running windows) who connect to my web server have kerberos tickets that become invalid as soon as I update the SPNs or passwords, how do I ensure changes are seamless? Are there any operations that can be done safely? I can't just ask all of the users to install klist and delete their old tickets.

    Read the article

  • RPCSS kerberos issues on imaged Windows workstations

    - by sysadmin1138
    While doing some unrelated troubleshooting I came across a set of Event Log entries that have me concerned. Machine Name: labcomputer82 Source: Security-Kerberos Event ID: 4 Event Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server labcomputer143$. The target name used was RPCSS/imagemaster4.ad.domain.edu. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (AD.DOMAIN.EDU) is different from the client domain (AD.DOMAIN.EDU), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. There are three machine names used in this message. It's generated on labcomputer82, it's attempting to talk to another lab workstation called labcomputer143, and the service in question (RPCSS) refers to the name of the machine that this machine was imaged from (and possibly also that of labcomputer143, I'm not sure). The thing that has me raising both eyebrows is that the machine named labcomputer82 is attempting to use an SPN of RPCSS/imagemaster4.ad.domain.edu. The SPN attribute on the computer object in AD looks just fine. It has all the names it should have. Of the over 3,000 computer objects in our AD domain, somewhere around 1,700 of the are computer-lab seats that are frequently imaged. If we're doing something wrong, I'd like to know in time to get our procedures modified (and people retrained) for fall quarter. But if this is normal for imaged machines, I'll just continue ignoring these.

    Read the article

  • Kerberos authentication not working for one single domain

    - by Buddy Casino
    We have a strange problem regarding Kerberos authentication with Apache mod_auth_kerb. We use a very simple krb5.conf, where only a single (main) AD server is configured. There are many domains in the forest, and it seems that SSO is working for most of them, except one. I don't know what is special about that domain, the error message that I see in the Apache logs is "Server not found in Kerberos database": [Wed Aug 31 14:56:02 2011] [debug] src/mod_auth_kerb.c(1025): [client xx.xxx.xxx.xxx] Using HTTP/[email protected] as server principal for password verification [Wed Aug 31 14:56:02 2011] [debug] src/mod_auth_kerb.c(714): [client xx.xxx.xxx.xxx] Trying to get TGT for user [email protected] [Wed Aug 31 14:56:02 2011] [debug] src/mod_auth_kerb.c(625): [client xx.xxx.xxx.xxx] Trying to verify authenticity of KDC using principal HTTP/[email protected] [Wed Aug 31 14:56:02 2011] [debug] src/mod_auth_kerb.c(640): [client xx.xxx.xxx.xxx] krb5_get_credentials() failed when verifying KDC [Wed Aug 31 14:56:02 2011] [error] [client xx.xxx.xxx.xxx] failed to verify krb5 credentials: Server not found in Kerberos database [Wed Aug 31 14:56:02 2011] [debug] src/mod_auth_kerb.c(1110): [client xx.xxx.xxx.xxx] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL) When I try to kinit that user on the machine on which Apache is running, it works. I also checked that DNS lookups work, including reverse lookup. Who can tell me whats going?

    Read the article

  • End-to-end kerberos delegated authentication in ASP.NET

    - by Erlend
    I'm trying to setup an internal website that will contact another backend service within the network on behalf of the user using a HttpWebRequest. I have to use Integrated Windows Authentication on the ASP.NET application as the backend system only supports this type of authentication. I'm able to setup IWA on the ASP.NET application, and it's using kerberos as I expect it to. However when the authentication is delegated to the backend system it doesn't work anymore. This is because the backend system only supports kerberos IWA, but the delegation for some reason - even though the incoming request is kerberos authenticated - converts the authentication to NTLM before forwaring to the backend system. Does anybody know what I need to do on the ASP.NET application in order to allow it to forward the identity using kerberos? I've currently tried the followin but it doesn't seem to work CredentialCache credentialCache = new CredentialCache(); credentialCache.Add(request.RequestUri, "Negotiate", CredentialCache.DefaultCredentials.GetCredential(request.RequestUri, "Kerberos")); request.Credentials = credentialCache; I've also tried to set "Kerberos" where it now says "Negotiate", but it doesn't seem to do much.

    Read the article

  • kinit gives me a Kerberos ticket, but no AFS token

    - by Tomas Lycken
    I'm trying to setup access to my university's IT environment from my laptop running Ubuntu 12.04, by (mostly) following the IT-department's guides on AFS and Kerberos. I can get AFS working well enough so that I can navigate to my home folder (located in the nada.kth.se cell of AFS), and I can get Kerberos working well enough to forward tickets and authenticate me when I connect with ssh. However, I don't seem to get any AFS tokens locally, on my machine, so I can't just go to /afs/nada.kth.se/.../folder/file.txt on my machine and edit it. I can't even stand in /afs/nada.kth.se/.../folder and run ls without getting Permission denied errors. Why doesn't kinit -f [email protected] give me an AFS token? What do I need to do to get one?

    Read the article

  • Kerberos authentication between 2 applications

    - by Spivi
    We work on a server 2003 and server 2008 R2 enviroment. I'm familiar with the basic usage of the Kerberos protocol where the protocol authenticates a client when he tries to use a shared resource (server, folder, printer, etc.). We have three distinct and independent .NET applications that we develop inhouse (app A, app B & app C) but they need to communicate for a given reason (A recieves messages only from B and C and C recieves messages only from B). Is it possible to configure the Kerberos services to authenticate messages/request between two .NET apps ? (Instead of a user-server authentication, we will have an application-application authentication)

    Read the article

  • Tool to allow Kerberos Authenticated users to modify Firewall settings

    - by Lars Hanke
    I run a firewall on a central router. Recently, several users want to use Skype. Since firewalling Skype virtually means to switch the firewall off, I consider to allow users to temporarily punch holes for their system. Since the users have no accounts on the router, I consider using Kerberos for authentication and authorization. The router is a Debian Squeeze box, with minimal configuration, i.e. no web-server, database or similar gimmicks. Does anyone know an existing solution, which could be used for that purpose? Or does anybody know easy to use and well documented frameworks in say Perl, Python, C, C++, ... making the set-up of a Kerberos authenticated Client and Server application really simple?

    Read the article

  • Cannot get to configure Kerberos for Reporting Services

    - by Ucodia
    Context I am trying to configure Kerberos in the domain for double-hop authentication. So here are the machines and their respective roles: client01: Windows 7 as client dc01: Windows Server 2008 R2 as domain controller and dns server01: Windows Server 2008 R2 as reporting server (native mode) server02: Windows Server 2008 R2 as SQL Server database engine I want my client01 to connect to server01 and configure a data source that is located on server02 using Intergrated Security. So as NTLM cannot push credentials that far, I need to setup Kerberos to enable double-hop authentication. The reporting service is runned by the Network Service service account and is configured only with the RSWindowsNegotiate options for authentication. Issue I cannot get to pass my client01 credential to server02 when configuring the data source on server01. Therefore I get the error: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. So I went on dc01 and delegated full trust for any service to server01 but it not fixed the problem. I want to notice that I did not configured any SPNs for server01 because Reporting Service is runned by Network Service and from what I read on the Internet, when Reporting Services is going up with Network Service, SPNs are automatically registered. My problem is that even if that I want to configure SPNs manually, I do not know where I have to set them up. On dc01 or on server01? So I went a bit further on the issue and tried to trace this problem. From my understanding of Kerberos, this is what should happen on the network when I try to connect the data source: client01 ---- AS_REQ ---> dc01 <--- AS_REP ---- client01 ---- TGS_REQ ---> dc01 <--- TGS_REP ---- client01 ---- AP_REQ ---> server01 <--- AP_REP ---- server01 ---- TGS_REQ ---> dc01 <--- TGS_REP ---- server01 ---- AP_REQ ---> server02 <--- AP_REP ---- So captured my local network with Wireshark, but whenever I try to configure my data source from client01 on server01 to pass my credentials to server02, my client never sends a AS_REQ or TGS_REQ to the KDC on dc01. Questions So does anyone can tell me if I should configure the SPNs and on which machine does it have to be configured? Also why client01 never request for a TGT or a TGS to my KDC. Do you think there is something going wrong with the DC role of dc01?

    Read the article

  • Single Sign On for intranet with Apache and Linux MIT Kerberos

    - by Beerdude26
    Greetings, I am looking for a way to do a single sign on to an intranet in the following manner: A Linux user logs on via a graphical frontend (for example, GNOME). He automatically requests a TGT for his username from the MIT Kerberos KDC. Via some way or another, the Apache server (which we'll assume is on the same server as the KDC), is informed that this user has logged in. When the user accesses the intranet, he is automatically granted access to his web applications. I don't think I've seen this kind of functionality while searching the net. I know the following possibilities exist: Using an authentication module such as mod_auth_kerb, a user is presented with a login prompt to enter his username and password, which are then authenticated against the MIT Kerberos server. (I would like this to be automatic.) IIS supports integrated Windows logon via ASP.Net when the user is part of an Active Directory. (I'm looking for the Linux / Apache equivalent.) Any suggestions, criticism and ideas are highly appreciated. This is for a school project to show a proof-of-concept, so every handy piece of information is more than welcome. :)

    Read the article

  • [SOLVED] Single Sign On for intranet with Apache and Linux MIT Kerberos

    - by Beerdude26
    EDIT: SOLVED! See my answer below. Greetings, I am looking for a way to do a single sign on to an intranet in the following manner: A Linux user logs on via a graphical frontend (for example, GNOME). He automatically requests a TGT for his username from the MIT Kerberos KDC. Via some way or another, the Apache server (which we'll assume is on the same server as the KDC), is informed that this user has logged in. When the user accesses the intranet, he is automatically granted access to his web applications. I don't think I've seen this kind of functionality while searching the net. I know the following possibilities exist: Using an authentication module such as mod_auth_kerb, a user is presented with a login prompt to enter his username and password, which are then authenticated against the MIT Kerberos server. (I would like this to be automatic.) IIS supports integrated Windows logon via ASP.Net when the user is part of an Active Directory. (I'm looking for the Linux / Apache equivalent.) Any suggestions, criticism and ideas are highly appreciated. This is for a school project to show a proof-of-concept, so every handy piece of information is more than welcome. :)

    Read the article

  • Immediate logout after login with PAM, Kerberos, and LDAP

    - by Dylan Klomparens
    I've set up remote login on a computer using Kerberos and LDAP. I've also configured NFS to mount onto /home so that the user's home directory is the same wherever they login. Kerberos authentication seems to work fine. I can get a ticket using kinit user1 (assuming user1 is a remote user) and see the ticket with klist. I'm pretty sure LDAP is working because I see the proper output from getent passwd, which lists all the remote users. The contents of /home are present when I list the files. The problem is: when I try to login as a remote user the session is immediately ended. Why is it not letting me stay logged in? Here is the output from /var/log/messages after a login attempt: # /var/log/messages: Oct 9 10:57:53 tophat login[6472]: pam_krb5[6472]: authentication succeeds for 'user1' ([email protected]) Oct 9 10:57:53 tophat login[6472]: pam_krb5[6472]: pam_setcred (establish credential) called Oct 9 10:57:53 tophat login[6472]: pam_krb5[6472]: pam_setcred (delete credential) called EDIT: The distro is openSUSE. Here are the common-* files in /etc/pam.d:   # /etc/pam.d/common-account account required pam_unix.so   # /etc/pam.d/common-auth auth sufficient pam_krb5.so minimum_uid=1000 auth required pam_unix.so nullok_secure try_first_pass   # /etc/pam.d/common-session session optional pam_umask.so umask=002 session sufficient pam_krb5.so minimum_uid=1000 session required pam_unix.so There doesn't appear to be a /var/log/auth.log file nor a /var/log/secure file.

    Read the article

  • Using Kerberos authentication for SQL Server 2008

    - by vivek m
    I am trying to configure my SQL Server to use Kerberos authentication. My setup is like this - My setup is like this- I have 2 virtual PCs in a Windows XP Pro SP3 host. Both VPCs are Windows Server 2003 R2. One VPC acts as the DC, DNS Server, DHCP server, has Active Directory installed and the SQL Server default instance is also running on this VPC. The second VPC is the domain member and it acts as the SQL Server client machine. I configured the SPN on the SQL Server service account to get the Kerberos working. On the client VPC it seems like it is using Kerberos authentication (as desired)- C:\Documents and Settings\administrator.SHAREPOINTSVC>sqlcmd -S vm-winsrvr2003 1> select auth_scheme from sys.dm_exec_connections where session_id=@@spid 2> go auth_scheme ---------------------------------------- KERBEROS (1 rows affected) 1> but on the server computer (where the SQL Server instance is actually running) it looks like it is still using NTLM authentication- . This is not a remote instance, the sql server is local to this machine. C:\Documents and Settings\Administrator>sqlcmd 1> select auth_scheme from sys.dm_exec_connections where session_id=@@spid 2> go auth_scheme ---------------------------------------- NTLM (1 rows affected) 1> What can i do so that it uses Kerberos on the server computer as well ? (or is this something that I should not expect)

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >