Questions tagged [gssapi]
The gssapi tag has no usage guidance.
58 questions
0
votes
0
answers
17
views
Kerberos ticket not accepted by Exim4
I have a problem, that I cannot get solved for days. When I use name and password, I can send a mail. I see in debug output of saslauthd: response: OK
But when I use the GSSAPI method (that works for ...
0
votes
1
answer
140
views
Kerberos authentication with GSSAPI on Windows 11 LTSC fails with [An unsupported mechanism was requested (Unknown error)]
We have a Windows 11 LTSC client that fails authentication with - Apache2 / Kerberos / GSSAPI.
This configuration works with all of our clients, Windows 10, Windows 10 LTSC, Windows 11, but not ...
1
vote
0
answers
191
views
FreeIPA ldap GSSAPI mechanism no longer works for Kerberos
I upgraded my FreeIPA server on Rocky 9 and the GSSAPI mechanism for Kerberos no longer works. I'm getting error 49, invalid credentials.
In the /var/log/sssd/sssd_caps.int.log it shows:
* (2024-...
0
votes
0
answers
88
views
How to use allow_nets extra field in dovecot using GSSAPI authentication?
I would like to use dovecot withs GSSAPI autentication using userdb with ldap backend. Is there any way on how to use passdb allow_nets extra attribute which is stored in ldap database?
Dovecot ...
- 1
2
votes
1
answer
1k
views
What is the best way to achieve SSO for Apache 2.4 within a Windows domain? [closed]
I would like to implement an SSO authentication (without login/password prompt) on a PHP 8 intranet app, which runs under Apache 2.4 x64 for Windows. My company has an Active Directory / LDAP / ...
- 123
0
votes
0
answers
400
views
Apache2 with GSSAPI auth, can't exclude one location from auth
We have an apache2 serving a PHP application, with kerberos authentication
We developed an API within the PHP application, and we want to access it without Kerberos auth
But we cannot manage to ...
- 1
0
votes
1
answer
755
views
Passthrough Windows AD authentication with LAMP GSSAPI/Kerberos
Trying to stand up a LAMP server on a Windows AD and get passthrough authentication working. One gotcha (which may not be as big of a deal as I'm making it), the hostname and hosted URL do NOT match: ...
1
vote
1
answer
1k
views
Troubleshooting Apache with GSS Proxy Authentication and LDAP Authorization
I'm setting up an internal web server on a domain-joined RHEL server with Kerberos authentication via GSS proxy and tiered authorization with LDAP, where Active Directory is the source of truth. ...
- 21
2
votes
2
answers
858
views
Add member to kerberos domain programatically
I want to have an embedded device join a Linux based AD/DC domain. I have kerberos libraries (no executables) on the embedded device. I have an application on the embedded device that can ...
1
vote
2
answers
784
views
Setup SSH-Jumphost | Proxyjump with freeIPA and Kerberos-Tickets
I want to setup a bastion (ssh jumphost) to access the network behind a firewall. Both server are in a freeIPA domain. The client is a user machine and is not part of the IPA domain.
Internet/client —&...
- 11
1
vote
1
answer
5k
views
SSH will not use password authentication, still tries disabled methods
I'm running Fedora 36 Workstation with OpenSSH server 8.8p1. I want to log on a single remote user and authenticate with their password, but OpenSSH seems determined not to let me. I've tried every ...
- 131
1
vote
0
answers
7k
views
RHEL8 and GSSAPI Kerberos authenticate through Apache issue
I'm trying to run an apache virtualhost, on a machine currently running Red Hat Enterprise Linux release 8.5 (Ootpa), with Kerberos authentication using the new GSSAPI module (replacement of ...
- 31
0
votes
1
answer
4k
views
Getting javax.naming.CommunicationException: Connection reset and AD "event ID 1216" while trying to perform LDAP search using JNDI and GSSAPI
I am trying to analyze the reason for exceptions/ failures during the Ldap search. I am performing operations using JNDI on Active directory domain controller.
Here is the background for the things ...
1
vote
0
answers
3k
views
curl not sending credentials during negotiation
We have a Jenkins server that uses Kerberos-SSO, with a fallback to Basic if SSO is not configured on the browser or using curl.
When I use curl with the --negotiate argument, however, it doesn't send ...
- 546
0
votes
2
answers
685
views
Can't determine the principal used to LDAP syncrepl GSSAPI
I've configured two openldap fully functional in HA (syncrepl mode provider - slave).
After testing that simple bind syncrepl works flawlessly, I'm trying to deploy from scratch using only GSSAPI to ...
- 35
0
votes
1
answer
389
views
Azure ADDS and GSSAPI
How can I configure Azure AD Domain Services to support GSS negotiation?
I see that in the on-premises AD it can be configured to "Require signature" to negotiate the authentication ...
- 11
2
votes
1
answer
15k
views
Authenticating Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory
I'm looking for below configurations for GSSAPI authentication with Apache 2.4 for Active directory:
1. How to configure Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory? ...
- 151
1
vote
1
answer
4k
views
Single sign on using SSSD against OpenLDAP server with Kerberos SASL/GSSAPI
Authentication against Kerberos and authorization against an LDAP directory is working for me. Now I'm looking for the client setup on Debian Buster using sssd.
I started with LDAP authentication ...
- 505
0
votes
1
answer
1k
views
NSS query against OpenLDAP server using GSSAPI with proxy authorization
SASL/GSSAPI needs Kerberos authentication against the LDAP server with proxy authorization if using LDAP authentication with nss-pam-ldapd on a Debian Buster operating system. I try to configure this ...
- 505
0
votes
1
answer
2k
views
How to setup SASL Proxy Authorization with an OpenLDAP server on Debian
For Kerberos Authentication together with SASL/GSSAPI Authorization on client devices I need Proxy Authorization on an OpenLDAP server running on Raspberry Pi with Debian/Raspbian Buster. I tried to ...
- 505
0
votes
1
answer
1k
views
nginx - prevent caching authorization info
I am using nginx as reverse proxy for my asp.net core web application. I am using spnego module for nginx for supporting of windows integrated authentication.
It is works, but if user enters incorrect ...
- 101
1
vote
0
answers
408
views
GSSAPI errors when running remctl
While migrating my Kerberos servers from CentOS 6 to CentOS 7 I seem to have broken something on the current KDC and, despite several hours of trial-and-error and searching documentation, I cannot ...
- 51
1
vote
2
answers
2k
views
Dovecot IMAP authenticating proxy using Kerberos/GSSAPI
I'm trying to set up Dovecot as authenticating reverse proxy, in front of an already running IMAP server to accomplish the following:
Have Dovecot authenticate users using Kerberos/GSSAPI (to allow ...
- 3,634
1
vote
1
answer
2k
views
CentOS 7:Reoccurring failure in accessing AD member samba shares
I have a Samba 4.6.2 samba ActiveDirectory member server. Every month or so, all clients lose the ability to connect to all the shares. I can work around the issue by leaving the domain, deleting the ...
- 249
1
vote
1
answer
6k
views
What does GSSAPI "Message stream modified" error mean?
I'm having trouble completing a bind to our LDAP servers on Centos 7.1 servers. Manual bind works, but ldapsearch fails with an error:
sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may ...
- 1,002
0
votes
1
answer
6k
views
Bind LDAP simple authentication
I have a customer with LDAP that I can only log in with GSS-API enabled.
He doesn't know how to enable simple authentication.
How can I enable this in MS ActiveDirectory?
- 101
9
votes
3
answers
10k
views
Add GSSAPI to OpenLdap in supportedSASLMechanisms
I'm looking how to add the GSSAPI support into my OpenLDAP ?
Current setup
MIT Kerberos V + OpenLDAP
Kerberos bind to openldap
Able to issue kerberos tickets to my users (with kinit exampluser)
Able ...
- 1,203
2
votes
1
answer
2k
views
Intermittent Kerberos failures: GSSAPI authentication initialization failed
When using MIT Kerberos Ticket Manager with PuTTY 0.65 and WinSCP 5.9.3, I am sometimes unable to get a connnection to the server I am logging into. PuTTY will respond with either No supported ...
- 265
0
votes
1
answer
1k
views
unable to authenticate with kerberos to ipa client from windows 10 machine
I have a domain joined windows 10 computer trying to authenticate via kerberos to an ipa (4.4.0) client (centos 7.2), I can authenticate with user/pass and then kinit but I cannot seem to authenticate ...
- 8,381
1
vote
1
answer
725
views
How to ensure encrypted OpenLDAP sessions using SASL/GSSAPI
I am running OpenLDAP 2.4 on a Debian jessie system. Clients typically connect to this LDAP server over port 389 using SASL/GSSAPI with our Kerberos infrastructure.
When a client connects using SASL/...
- 2,731
0
votes
0
answers
922
views
Why is my sshd looking for a wrong kvno in keytab?
My FreeBSD box is using Heimdal Kerberos-implementation. It is registered with the corporate AD, its msDS-KeyVersionNumber-attribute is set to 2, and its keytab has the following entries:
FILE:/etc/...
- 2,441
3
votes
1
answer
2k
views
gssproxy: apache httpd as nfs-client? centos7
When Apache httpd attempts to access a user directory automounted with sec=krb5p, and presumably other sec=krb options, gssproxy issues a failure message and the web server replies with 403 Forbidden. ...
- 13.1k
0
votes
2
answers
925
views
gssapi/kerberos/active directory/ubuntu - Wrong principal in request
I'm trying to setup a Clientserver with a Webservice to which Users of an Active Directory should be able to login with SSO.
I'm using SPNEGO with Kerberos on a Ubuntu 14.04 Server and nginx proxy to ...
- 11
0
votes
0
answers
1k
views
kerberos authentication to linux from windows
We have mostly unix/linux server in our data center. We access them from our workstations running windows using putty. All the workstations are part
of an AD domain but the servers are not. Kerberos ...
- 361
0
votes
1
answer
993
views
psql: duplicate GSS authentication request
What does it mean by saying 'duplicate' ? How to troubleshoot this?
guest@www:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user/admin@SOHONET
Valid starting Expires ...
1
vote
1
answer
2k
views
GSSAPI on Linux when reverse DNS lookup doesn't match AD DNS suffix
I have CentOS 6 server that has been joined to Active Directory using Samba and net ads join -k.
It thus has a keytab like this:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ---------------...
3
votes
1
answer
2k
views
Wrong user mapping in kerberized NFSv4 automounted homedirs
Short problem description
This question is about id mapping in NFSv4 going wrong.
NFS server: a Synology DS, with DSM 5.2.
Client: A regular FC22 machine, which automounts as /home one of the ...
- 447
0
votes
1
answer
1k
views
kdm and ssh detecting different fully qualified domain name when using kerberos authentication
I'm attempting to setup Kerberos login support (Windows AD domain providing the kerberos) for Kubuntu 12.04 Linux workstations at the company I'm at.
It's almost completely working but I can't get ...
0
votes
1
answer
469
views
Does "Kerberised" NFSv4 securely protect against a malicious client spoofing the user
I have read conflicting statements about whether shares exported via NFSv4 with sec=krb5 are cryptographically protected against a malicious client mounting the share and then spoofing the user to ...
- 169
1
vote
1
answer
2k
views
Mongodb + Kerberos BadValue SASL mechanism GSSAPI is not supported
I am trying to run an instance of mongodb with the authentication mechanism GSS-API. This is the command:
mongod --dbpath /home/ec2-user/db/node2/data --auth --setParameter authenticationMechanisms=...
- 141
4
votes
1
answer
4k
views
Why is sshd engaging PAM still?
Background/Behavior is: if you ssh to box via and GSSAPI/Kerberos succeeds and you have a local user in /etc/passwd, you login fine per below PAM config. All Good there.
But if you don't have a ...
- 630
13
votes
3
answers
51k
views
Putty Kerberos/GSSAPI authentication
I configured a few Linux servers to authenticate with Active Directory Kerberos using sssd on RHEL6. I also enabled GSSAPI authentication in hopes of passwordless logins.
But I can't seem to get ...
- 541
4
votes
0
answers
2k
views
Cannot enable GSS-TSIG updates from Active Directory in BIND 9.10
I’m with a problem trying to enable GSS-TSIG with BIND 9.10.
Before I start describing what I’ve done, I would like to say that I’ve already done this in in another domain without any problems. So I ...
- 5,770
3
votes
1
answer
15k
views
problems creating a keytab file on win server
I am trying to create a keytab file. i see a warning
WARNING: pType and account type do not match. This might cause problems.
The command i use is
ktpass -princ HTTP/bloodhound.domain.com@...
- 341
0
votes
1
answer
358
views
Mail client with support for gssapi
I have configured Postfix and Cyrus Imap to enable SSO using Kerberos and GSSAPI.
I use Thunderbird as a mail client which supports GSSAPI but I wanted to try some other client also.
I tried ...
- 131
4
votes
2
answers
2k
views
Is there a way to have tortisesvn use Windows 7 kerberos tickets to auth against an apache svn server?
I have putty able to use gssapi on my Windows 7 x64 clients against kerberos logins for SSH. I.e. it forwards the ticket you get when you log in to windows. I can't figure out how to get tortiseSVN to ...
- 688
0
votes
0
answers
677
views
Use gssapi with Microsoft office outlook.
Currently in windows computer I have installed Kerberos for Windows.
This allowed me to use sso with Thunderbird against a Cyrus IMAP.
Thunderbird has the option of using GSSAPI.
Is possible to ...
- 131
2
votes
2
answers
12k
views
Apache SSO through Kerberos using Machine Account
I'm attempting to get Apache on Ubuntu 12.04 to authenticate users via Kerberos SSO to a Windows 2008 Active Directory server. Here are a few things that make my situation different:
I don't have ...
- 252
0
votes
1
answer
2k
views
Strange Change in ssh behavior + LDAP
We have a cluster with a front node that admits normal users and LDAP users. Two days ago the ssh show a strange behavior:
The LDAP users can't login in the front node using password
but, The LDAP ...
- 2,179
5
votes
1
answer
19k
views
Can't get postgres and kerberos (gss) working together
I am trying to get postgres and kerberos, via GSSAPI, working together. Having trouble at this point. It does not help that I am really a newbie for both technologies. I have both postgres and ...
- 151