All Questions
36 questions
0
votes
1
answer
140
views
Kerberos authentication with GSSAPI on Windows 11 LTSC fails with [An unsupported mechanism was requested (Unknown error)]
We have a Windows 11 LTSC client that fails authentication with - Apache2 / Kerberos / GSSAPI.
This configuration works with all of our clients, Windows 10, Windows 10 LTSC, Windows 11, but not ...
1
vote
0
answers
191
views
FreeIPA ldap GSSAPI mechanism no longer works for Kerberos
I upgraded my FreeIPA server on Rocky 9 and the GSSAPI mechanism for Kerberos no longer works. I'm getting error 49, invalid credentials.
In the /var/log/sssd/sssd_caps.int.log it shows:
* (2024-...
2
votes
1
answer
1k
views
What is the best way to achieve SSO for Apache 2.4 within a Windows domain? [closed]
I would like to implement an SSO authentication (without login/password prompt) on a PHP 8 intranet app, which runs under Apache 2.4 x64 for Windows. My company has an Active Directory / LDAP / ...
- 123
2
votes
2
answers
858
views
Add member to kerberos domain programatically
I want to have an embedded device join a Linux based AD/DC domain. I have kerberos libraries (no executables) on the embedded device. I have an application on the embedded device that can ...
1
vote
2
answers
784
views
Setup SSH-Jumphost | Proxyjump with freeIPA and Kerberos-Tickets
I want to setup a bastion (ssh jumphost) to access the network behind a firewall. Both server are in a freeIPA domain. The client is a user machine and is not part of the IPA domain.
Internet/client —&...
- 11
1
vote
0
answers
7k
views
RHEL8 and GSSAPI Kerberos authenticate through Apache issue
I'm trying to run an apache virtualhost, on a machine currently running Red Hat Enterprise Linux release 8.5 (Ootpa), with Kerberos authentication using the new GSSAPI module (replacement of ...
- 31
0
votes
1
answer
4k
views
Getting javax.naming.CommunicationException: Connection reset and AD "event ID 1216" while trying to perform LDAP search using JNDI and GSSAPI
I am trying to analyze the reason for exceptions/ failures during the Ldap search. I am performing operations using JNDI on Active directory domain controller.
Here is the background for the things ...
0
votes
2
answers
685
views
Can't determine the principal used to LDAP syncrepl GSSAPI
I've configured two openldap fully functional in HA (syncrepl mode provider - slave).
After testing that simple bind syncrepl works flawlessly, I'm trying to deploy from scratch using only GSSAPI to ...
- 35
0
votes
1
answer
1k
views
nginx - prevent caching authorization info
I am using nginx as reverse proxy for my asp.net core web application. I am using spnego module for nginx for supporting of windows integrated authentication.
It is works, but if user enters incorrect ...
- 101
1
vote
0
answers
408
views
GSSAPI errors when running remctl
While migrating my Kerberos servers from CentOS 6 to CentOS 7 I seem to have broken something on the current KDC and, despite several hours of trial-and-error and searching documentation, I cannot ...
- 51
1
vote
2
answers
2k
views
Dovecot IMAP authenticating proxy using Kerberos/GSSAPI
I'm trying to set up Dovecot as authenticating reverse proxy, in front of an already running IMAP server to accomplish the following:
Have Dovecot authenticate users using Kerberos/GSSAPI (to allow ...
- 3,634
1
vote
1
answer
2k
views
CentOS 7:Reoccurring failure in accessing AD member samba shares
I have a Samba 4.6.2 samba ActiveDirectory member server. Every month or so, all clients lose the ability to connect to all the shares. I can work around the issue by leaving the domain, deleting the ...
- 249
2
votes
1
answer
2k
views
Intermittent Kerberos failures: GSSAPI authentication initialization failed
When using MIT Kerberos Ticket Manager with PuTTY 0.65 and WinSCP 5.9.3, I am sometimes unable to get a connnection to the server I am logging into. PuTTY will respond with either No supported ...
- 265
0
votes
1
answer
1k
views
unable to authenticate with kerberos to ipa client from windows 10 machine
I have a domain joined windows 10 computer trying to authenticate via kerberos to an ipa (4.4.0) client (centos 7.2), I can authenticate with user/pass and then kinit but I cannot seem to authenticate ...
- 8,381
0
votes
0
answers
922
views
Why is my sshd looking for a wrong kvno in keytab?
My FreeBSD box is using Heimdal Kerberos-implementation. It is registered with the corporate AD, its msDS-KeyVersionNumber-attribute is set to 2, and its keytab has the following entries:
FILE:/etc/...
- 2,441
3
votes
1
answer
2k
views
gssproxy: apache httpd as nfs-client? centos7
When Apache httpd attempts to access a user directory automounted with sec=krb5p, and presumably other sec=krb options, gssproxy issues a failure message and the web server replies with 403 Forbidden. ...
- 13.1k
0
votes
2
answers
925
views
gssapi/kerberos/active directory/ubuntu - Wrong principal in request
I'm trying to setup a Clientserver with a Webservice to which Users of an Active Directory should be able to login with SSO.
I'm using SPNEGO with Kerberos on a Ubuntu 14.04 Server and nginx proxy to ...
- 11
0
votes
0
answers
1k
views
kerberos authentication to linux from windows
We have mostly unix/linux server in our data center. We access them from our workstations running windows using putty. All the workstations are part
of an AD domain but the servers are not. Kerberos ...
- 361
0
votes
1
answer
993
views
psql: duplicate GSS authentication request
What does it mean by saying 'duplicate' ? How to troubleshoot this?
guest@www:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user/admin@SOHONET
Valid starting Expires ...
1
vote
1
answer
2k
views
GSSAPI on Linux when reverse DNS lookup doesn't match AD DNS suffix
I have CentOS 6 server that has been joined to Active Directory using Samba and net ads join -k.
It thus has a keytab like this:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ---------------...
3
votes
1
answer
2k
views
Wrong user mapping in kerberized NFSv4 automounted homedirs
Short problem description
This question is about id mapping in NFSv4 going wrong.
NFS server: a Synology DS, with DSM 5.2.
Client: A regular FC22 machine, which automounts as /home one of the ...
- 447
0
votes
1
answer
1k
views
kdm and ssh detecting different fully qualified domain name when using kerberos authentication
I'm attempting to setup Kerberos login support (Windows AD domain providing the kerberos) for Kubuntu 12.04 Linux workstations at the company I'm at.
It's almost completely working but I can't get ...
0
votes
1
answer
469
views
Does "Kerberised" NFSv4 securely protect against a malicious client spoofing the user
I have read conflicting statements about whether shares exported via NFSv4 with sec=krb5 are cryptographically protected against a malicious client mounting the share and then spoofing the user to ...
- 169
1
vote
1
answer
2k
views
Mongodb + Kerberos BadValue SASL mechanism GSSAPI is not supported
I am trying to run an instance of mongodb with the authentication mechanism GSS-API. This is the command:
mongod --dbpath /home/ec2-user/db/node2/data --auth --setParameter authenticationMechanisms=...
- 141
4
votes
1
answer
4k
views
Why is sshd engaging PAM still?
Background/Behavior is: if you ssh to box via and GSSAPI/Kerberos succeeds and you have a local user in /etc/passwd, you login fine per below PAM config. All Good there.
But if you don't have a ...
- 630
13
votes
3
answers
51k
views
Putty Kerberos/GSSAPI authentication
I configured a few Linux servers to authenticate with Active Directory Kerberos using sssd on RHEL6. I also enabled GSSAPI authentication in hopes of passwordless logins.
But I can't seem to get ...
- 541
4
votes
0
answers
2k
views
Cannot enable GSS-TSIG updates from Active Directory in BIND 9.10
I’m with a problem trying to enable GSS-TSIG with BIND 9.10.
Before I start describing what I’ve done, I would like to say that I’ve already done this in in another domain without any problems. So I ...
- 5,770
3
votes
1
answer
15k
views
problems creating a keytab file on win server
I am trying to create a keytab file. i see a warning
WARNING: pType and account type do not match. This might cause problems.
The command i use is
ktpass -princ HTTP/bloodhound.domain.com@...
- 341
0
votes
1
answer
358
views
Mail client with support for gssapi
I have configured Postfix and Cyrus Imap to enable SSO using Kerberos and GSSAPI.
I use Thunderbird as a mail client which supports GSSAPI but I wanted to try some other client also.
I tried ...
- 131
4
votes
2
answers
2k
views
Is there a way to have tortisesvn use Windows 7 kerberos tickets to auth against an apache svn server?
I have putty able to use gssapi on my Windows 7 x64 clients against kerberos logins for SSH. I.e. it forwards the ticket you get when you log in to windows. I can't figure out how to get tortiseSVN to ...
- 688
2
votes
2
answers
12k
views
Apache SSO through Kerberos using Machine Account
I'm attempting to get Apache on Ubuntu 12.04 to authenticate users via Kerberos SSO to a Windows 2008 Active Directory server. Here are a few things that make my situation different:
I don't have ...
- 252
5
votes
1
answer
19k
views
Can't get postgres and kerberos (gss) working together
I am trying to get postgres and kerberos, via GSSAPI, working together. Having trouble at this point. It does not help that I am really a newbie for both technologies. I have both postgres and ...
- 151
2
votes
3
answers
11k
views
Wrong principal in request (SSH/ GSSAPI/Kerberos/Debian)
I've set up two VMs on an "internal" (in VirtualBox meaning) network, one being a DNS server (dns1.example.com) and the other - a KDC and Kerberos admin server (kdc.example.com). The default and the ...
- 968
2
votes
1
answer
15k
views
OpenSSH + Kerberos SSO: No key table entry found for host/localhost.localdomain
SSO not working with OpenSSH - I have not been able to get GSSAPIAuthentication to work with Kerberos. Everytime I attempted to login, I kept getting prompted for the password.
During the ...
- 5,088
0
votes
1
answer
205
views
Error on trying to ssh to a prgmr box when using PuTTY like utility KiTTY
I recently got a box on prgmr. Excited, I tried to login using my username password in KiTTY (which is basically an improved PuTTY) and got the following error, shown in the screenshot.
Now, I can ...
- 103
1
vote
2
answers
4k
views
How do I use ldapsearch with a cross-realm ticket?
kinit [email protected]
klist -afe
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
08/04/11 13:14:53 08/05/11 01:...
- 13.1k