Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

RFC Kerberos - http://www.faqs.org/rfcs/rfc1510.html
Kerberos Blogs by AD support team at Microsoft - http://blogs.technet.com/b/askds/archive/tags/Kerberos/
Kerberos blogs by Open Specification team at Microsoft - http://blogs.msdn.com/b/openspecification/archive/tags/Kerberos/
Ubuntu Linux post on Kerberos - https://help.ubuntu.com/community/Kerberos

1136 questions

votes

1 answer

Does ActiveDirectory support Kerberos user principle instances?

User principle instance has format username/instance@REALM and separate password. According to some sources it's possible to create such principles in MIT Kerberos. Does ActiveDirectory support this Kerberos feature?

active-directory kerberos

asked Aug 09 '16 at 18:00

olmstad

votes

2 answers

creating an SPN from a linux build server

I'm setting up a process which would automatically create the SPNs for newly exposed service URLs. I am aware of how to create an SPN with Windows using the setspn -A command with the right priviliges. As my build server is running on Linux, I…

active-directory kerberos spn

asked Apr 15 '16 at 20:50

Balint Pato

votes

1 answer

Is it possible to use Kerberos over TLS through sssd?

Background I am trying to log in (via SSH, to an Amazon Linux EC2 instance running sssd) as users that I've created in my AWS Directory Services Simple AD. I am authenticating with Kerberos and identifying the user with LDAP (all through sssd.) I…

kerberos tls pam amazon-elb sssd

asked Dec 31 '15 at 18:55

2rs2ts

votes

1 answer

Creating keytabs and service principal names

I'm trying to set up a keytab for a Java server to support Kerberos authentication on a Windows network. I'm struggling to get it working even at the level of the command line tools, haven't even got as far as the server setup yet! My plan just…

spn kerberos

asked Oct 01 '09 at 11:44

user21693

votes

2 answers

Changing login-formats for Linux and Active Directory

On CentOS, I run realm list and see login-formats: %U@mydomain.local I'd like to change login-formats: %U@mydomain.local to login-formats: %U How would I go about doing this? I'm assuming there is a .conf file, I've checked sssd.conf and krb5.conf…

centos active-directory kerberos

asked Jun 09 '15 at 20:02

dcfcolo

votes

1 answer

Does Active Directory's Kerberos implementation support per-user ticket lifetime settings?

With MIT Kerberos, the kadmin utility supports the creation of principals that have an explicit maximum ticket lifetime and renewal lifetime (-maxlife and -maxrenewlife arguments for add_principal) which may be different than the realm's default…

active-directory kerberos

asked Aug 14 '14 at 18:37

Ryan Bolger

16,472
3
40
59

votes

1 answer

Can't change password of FreeIPA admin - "Current password's minimum life has not expired"

We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails: sashka@cellar ~ ssh admin@ipa.xxxxxxxxxx.com admin@ipa.xxxxxxxxxx.com's password: Password expired.…

kerberos freeipa

asked Jun 30 '14 at 12:26

Alex

7,789
4
36
51

votes

2 answers

NetApp erroring with: STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Since a sitewide upgrade to Windows 7 on desktop, I've started having a problem with virus checking. Specifically - when doing a rename operation on a (filer hosted) CIFS share. The virus checker seems to be triggering a set of messages on the…

windows kerberos ntlm netapp

asked May 19 '14 at 09:11

Sobrique

3,697
2
14
34

votes

1 answer

How exactly does the HOST/machine SPN work?

Normally when you set up Kerberos for IIS, you would do something like setspn -A HTTP/machine some_account. When IIS 7 is installed, it registers the SPN "HOST/machine" for its kernel-mode authentication. Why does this work? Is "HOST" some kind…

iis kerberos

asked Jul 30 '13 at 01:01

bmm6o

votes

2 answers

ActiveDirectory Kerberos keytab unusable from Linux

I am configuring Kerberos authentication for Alfresco CIFS protocol fully implemented in Java (JLAN project). That is not the first time, I used to set it up right in a single shot. In the same network, with an ActiveDirectory Windows 2008R2 and the…

linux windows-server-2008-r2 kerberos

asked Mar 15 '12 at 20:28

Yves Martin

votes

1 answer

Best practice for authenticating DMZ against AD in LAN

We have few customer facing servers in DMZ that also have user accounts , all accounts are in shadow password file. I am trying to consolidate user logons and thinking about letting LAN users to authenticate against Active Directory.Services…

linux active-directory authentication kerberos

asked Jul 02 '09 at 22:12

Sergei

1,216
16
24

votes

2 answers

debian: cannot change password

As the root user, I can change the password: hussie:/home/claudiu# passwd Enter new password: Retype new password: passwd: password updated successfully As a non-root user I cannot: claudiu@hussie:~$ passwd Current Kerberos password: passwd: User…

debian password kerberos pam

asked Dec 12 '11 at 16:45

Claudiu

1,157
5
18
27

votes

1 answer

Renewing kerberos ticket without user intervention

We have found the most excellent program that that will allow our OSX machines to print through our Windows Print servers. (ksmbprint from http://deploystudio.com/) The program allows for smb printing with to the servers through kerberos…

active-directory mac-osx printing kerberos

asked Oct 22 '10 at 02:04

eric.s

votes

2 answers

Does kerbtray.exe not exist for windows server 2008

I can not find a valid kerbtray.exe for windows server 2008. I can only find for 2000 and 2003. Does it not exist or it is just replaced with something else?

windows-server-2008 kerberos

asked Apr 27 '10 at 15:52

Atle

votes

1 answer

Relative security of SAML vs Kerberos

Does anyone have any info/links on the relative security of SAML vs Kerberos. I believe I grasp the differences between the two, and what they mean for my particular application, but to decide between the two, knowing which is more secure, if…

security kerberos

asked Mar 08 '10 at 14:11

Robert Gowland

Prev 1 2 3

…

75 76 Next