Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1136 questions
3
votes
2 answers

Enabling AES-encrypted single sign-on to Apache in a Win2008 domain

All of the tutorials I could find on setting up single-sign on into an Apache-hosted website using Active Directory authentication do so by configuring Kerberos with insecure settings. It's been best practice for awhile now to disable RC4-HMAC…
mrdecemberist
  • 141
  • 1
  • 7
3
votes
1 answer

Use Kerberos ticket to access WebDAV

Using Apache's mod_dav as the server, Samba 4.1.17 as the server and any version of Windows from 7 upwards as the client how can I mount a WebDAV share using Kerberos for the authentication? Currently I have WebDAV and Kerberos confirmed working…
Flexo
  • 588
  • 9
  • 23
3
votes
1 answer

Wrong user mapping in kerberized NFSv4 automounted homedirs

Short problem description This question is about id mapping in NFSv4 going wrong. NFS server: a Synology DS, with DSM 5.2. Client: A regular FC22 machine, which automounts as /home one of the exported folders from above. Both machines are enrolled…
cornuz
  • 437
  • 1
  • 7
  • 17
3
votes
1 answer

LDAP + KERBEROS + NFS. Why do I need idmapd?

What I am trying to do I have a freeIPA domain, with a few clients and a Synology NAS (also enrolled in freeIPA). I created a shared folder on the NAS, with NFSv4 + krb5 support. From the client, I obtain a ticket for LDAP user user1@mydomain.com…
cornuz
  • 437
  • 1
  • 7
  • 17
3
votes
1 answer

how can I restrict kerberos service tickets by group?

I have multiple Linux servers all configured to allow kerberos authentication with active directory. All other user and group attributes reside in a separate directory server (389). I am able to log in and fetch user information (getent passwd, id,…
Darren
  • 31
  • 1
3
votes
3 answers

Using SSH Keys with Kerberos

So there's an issue that we've been having at our company causing me to pull my hair out for the past week: We have hundreds of server boxes (a mix of CentOS6/7, if it matters) that need to quickly be SSHed into on a daily basis between a team.…
Mark O'Reilly
  • 41
  • 1
  • 1
  • 4
3
votes
1 answer

Windows client damage authorization header (Kerberos) => IIS 400 (Bad Request)

We are facing strange behavior on about 5% of Windows (7 Pro and XP Pro, both 32 and 64 bits) client computers. These computers gets randomly error from IIS server - 400 Bad request. We are using Windows domain and these clients are trying to…
Stanislav Chromec
  • 78
  • 7
3
votes
2 answers

Linux AD integration, unable to login when using Windows Server 2012 DC

I am trying to integrate my CentOS 6.6 servers into Active Directory. I've followed this guide from Red Hat using configuration 3 (SSSD/Kerberos/LDAP). When using a Windows Server 2008 R2 server as the domain controller w/ IMU enabled, everything…
Python Novice
  • 341
  • 1
  • 4
  • 12
3
votes
1 answer

Can't get client to Authenticate with IIS over Kerberos

WHAT I WANT: An App running on an IIS Server SQL running on SQLServer And my user running the site on thier machine and connecting to SQL using their credentials. WHAT I HAVE SET UP: I have 3 machines 1 running AD (ADMachine), 1 running SQL Server…
Noreen
  • 31
  • 1
  • 3
3
votes
0 answers

CUPS remote print queues

In my network, there are multiple printers over many locations, all connected to a single CUPS server via whatever protocols they require. Client machines on the network need to print to the printers near them, segregated by location, but each…
Robin McCorkell
  • 273
  • 1
  • 10
3
votes
1 answer

problems creating a keytab file on win server

I am trying to create a keytab file. i see a warning WARNING: pType and account type do not match. This might cause problems. The command i use is ktpass -princ HTTP/bloodhound.domain.com@DOMAIN.COM -mapuser ldaplookup@domain.com -crypto…
shorif2000
  • 357
  • 1
  • 7
  • 26
3
votes
2 answers

How to clear kerberos config

I am setting my machine as a kerberos client. I have a question on how the kerberos config file actually take effect and how to clear its effect. My experiment is as follow. Step 1, without editing the /etc/krb5.conf file, I typed kinit and got what…
user2196452
  • 245
  • 1
  • 3
  • 9
3
votes
0 answers

kinit error: Realm not local to KDC, DC is in a subdomain

I have a user: oneuser@EXEMPLE.COM as principal and the next krb5.conf: [libdefaults] default_realm = EXEMPLE.COM default_tkt_enctypes = arcfour-hmac-md5 default_tgs_enctypes = arcfour-hmac-md5 permitted_enctypes =…
CyberDracula
  • 31
  • 3
3
votes
2 answers

NFS client keytab: multiple machines

How should one go about setting up client-side keytab files for each client machine to access network services? My working example is NFSv4, which requires each client to have a Kerberos keytab locally on the client machines (as well as the NFS…
Cosmic Ossifrage
  • 1,610
  • 14
  • 23
3
votes
2 answers

Why should I not run setspn.exe on the domain controller?

I found several references (see below) on blogs that the setspn.exe utility should be run from either a client or server machine in the domain, but not from the domain controller…
MvdD
  • 173
  • 2
  • 4
  • 10
1 2 3
75 76