Questions tagged [gssapi]
The gssapi tag has no usage guidance.
55
questions
13
votes
3
answers
48k
views
Putty Kerberos/GSSAPI authentication
I configured a few Linux servers to authenticate with Active Directory Kerberos using sssd on RHEL6. I also enabled GSSAPI authentication in hopes of passwordless logins.
But I can't seem to get ...
- 521
9
votes
3
answers
10k
views
Add GSSAPI to OpenLdap in supportedSASLMechanisms
I'm looking how to add the GSSAPI support into my OpenLDAP ?
Current setup
MIT Kerberos V + OpenLDAP
Kerberos bind to openldap
Able to issue kerberos tickets to my users (with kinit exampluser)
Able ...
- 1,193
5
votes
1
answer
18k
views
Can't get postgres and kerberos (gss) working together
I am trying to get postgres and kerberos, via GSSAPI, working together. Having trouble at this point. It does not help that I am really a newbie for both technologies. I have both postgres and ...
- 151
4
votes
2
answers
2k
views
Is there a way to have tortisesvn use Windows 7 kerberos tickets to auth against an apache svn server?
I have putty able to use gssapi on my Windows 7 x64 clients against kerberos logins for SSH. I.e. it forwards the ticket you get when you log in to windows. I can't figure out how to get tortiseSVN to ...
- 688
4
votes
1
answer
4k
views
Why is sshd engaging PAM still?
Background/Behavior is: if you ssh to box via and GSSAPI/Kerberos succeeds and you have a local user in /etc/passwd, you login fine per below PAM config. All Good there.
But if you don't have a ...
- 621
4
votes
0
answers
2k
views
Cannot enable GSS-TSIG updates from Active Directory in BIND 9.10
I’m with a problem trying to enable GSS-TSIG with BIND 9.10.
Before I start describing what I’ve done, I would like to say that I’ve already done this in in another domain without any problems. So I ...
- 5,700
3
votes
1
answer
14k
views
problems creating a keytab file on win server
I am trying to create a keytab file. i see a warning
WARNING: pType and account type do not match. This might cause problems.
The command i use is
ktpass -princ HTTP/bloodhound.domain.com@...
- 341
3
votes
1
answer
1k
views
SSH - slow authentication
This is more of a curiosity question then a problem at this point. I have resolved my problem which i'll post the solution that worked for me.
problem
I was getting rather slow authentication times ...
- 347
3
votes
1
answer
5k
views
Openldap/Sasl/GSSAPI on Debian: Key table entry not found
The goal: to make an OpenLDAP server to authenticate using Kerberos V via GSSAPI
Setup: several virtual machines running on freshly installed/updated Debian Squeeze
A master KDC server
kdc.example....
- 928
3
votes
1
answer
2k
views
Wrong user mapping in kerberized NFSv4 automounted homedirs
Short problem description
This question is about id mapping in NFSv4 going wrong.
NFS server: a Synology DS, with DSM 5.2.
Client: A regular FC22 machine, which automounts as /home one of the ...
- 437
3
votes
1
answer
2k
views
gssproxy: apache httpd as nfs-client? centos7
When Apache httpd attempts to access a user directory automounted with sec=krb5p, and presumably other sec=krb options, gssproxy issues a failure message and the web server replies with 403 Forbidden. ...
- 13.1k
2
votes
1
answer
14k
views
OpenSSH + Kerberos SSO: No key table entry found for host/localhost.localdomain
SSO not working with OpenSSH - I have not been able to get GSSAPIAuthentication to work with Kerberos. Everytime I attempted to login, I kept getting prompted for the password.
During the ...
- 5,088
2
votes
1
answer
2k
views
Intermittent Kerberos failures: GSSAPI authentication initialization failed
When using MIT Kerberos Ticket Manager with PuTTY 0.65 and WinSCP 5.9.3, I am sometimes unable to get a connnection to the server I am logging into. PuTTY will respond with either No supported ...
- 265
2
votes
2
answers
12k
views
Apache SSO through Kerberos using Machine Account
I'm attempting to get Apache on Ubuntu 12.04 to authenticate users via Kerberos SSO to a Windows 2008 Active Directory server. Here are a few things that make my situation different:
I don't have ...
- 252
2
votes
3
answers
11k
views
Wrong principal in request (SSH/ GSSAPI/Kerberos/Debian)
I've set up two VMs on an "internal" (in VirtualBox meaning) network, one being a DNS server (dns1.example.com) and the other - a KDC and Kerberos admin server (kdc.example.com). The default and the ...
- 928
1
vote
1
answer
5k
views
What does GSSAPI "Message stream modified" error mean?
I'm having trouble completing a bind to our LDAP servers on Centos 7.1 servers. Manual bind works, but ldapsearch fails with an error:
sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may ...
- 962
1
vote
2
answers
2k
views
Dovecot IMAP authenticating proxy using Kerberos/GSSAPI
I'm trying to set up Dovecot as authenticating reverse proxy, in front of an already running IMAP server to accomplish the following:
Have Dovecot authenticate users using Kerberos/GSSAPI (to allow ...
- 3,624
1
vote
1
answer
459
views
What is the best way to achieve SSO for Apache 2.4 within a Windows domain? [closed]
I would like to implement an SSO authentication (without login/password prompt) on a PHP 8 intranet app, which runs under Apache 2.4 x64 for Windows. My company has an Active Directory / LDAP / ...
- 113
1
vote
2
answers
618
views
Add member to kerberos domain programatically
I want to have an embedded device join a Linux based AD/DC domain. I have kerberos libraries (no executables) on the embedded device. I have an application on the embedded device that can ...
1
vote
1
answer
3k
views
SSH will not use password authentication, still tries disabled methods
I'm running Fedora 36 Workstation with OpenSSH server 8.8p1. I want to log on a single remote user and authenticate with their password, but OpenSSH seems determined not to let me. I've tried every ...
- 131
1
vote
1
answer
13k
views
Authenticating Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory
I'm looking for below configurations for GSSAPI authentication with Apache 2.4 for Active directory:
1. How to configure Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory? ...
- 141
1
vote
1
answer
3k
views
Single sign on using SSSD against OpenLDAP server with Kerberos SASL/GSSAPI
Authentication against Kerberos and authorization against an LDAP directory is working for me. Now I'm looking for the client setup on Debian Buster using sssd.
I started with LDAP authentication ...
- 485
1
vote
1
answer
2k
views
Mongodb + Kerberos BadValue SASL mechanism GSSAPI is not supported
I am trying to run an instance of mongodb with the authentication mechanism GSS-API. This is the command:
mongod --dbpath /home/ec2-user/db/node2/data --auth --setParameter authenticationMechanisms=...
- 141
1
vote
2
answers
4k
views
How do I use ldapsearch with a cross-realm ticket?
kinit [email protected]
klist -afe
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
08/04/11 13:14:53 08/05/11 01:...
- 13.1k
1
vote
1
answer
869
views
Troubleshooting Apache with GSS Proxy Authentication and LDAP Authorization
I'm setting up an internal web server on a domain-joined RHEL server with Kerberos authentication via GSS proxy and tiered authorization with LDAP, where Active Directory is the source of truth. ...
- 21
1
vote
2
answers
656
views
Setup SSH-Jumphost | Proxyjump with freeIPA and Kerberos-Tickets
I want to setup a bastion (ssh jumphost) to access the network behind a firewall. Both server are in a freeIPA domain. The client is a user machine and is not part of the IPA domain.
Internet/client —&...
- 11
1
vote
0
answers
6k
views
RHEL8 and GSSAPI Kerberos authenticate through Apache issue
I'm trying to run an apache virtualhost, on a machine currently running Red Hat Enterprise Linux release 8.5 (Ootpa), with Kerberos authentication using the new GSSAPI module (replacement of ...
- 31
1
vote
0
answers
3k
views
curl not sending credentials during negotiation
We have a Jenkins server that uses Kerberos-SSO, with a fallback to Basic if SSO is not configured on the browser or using curl.
When I use curl with the --negotiate argument, however, it doesn't send ...
- 534
1
vote
0
answers
321
views
GSSAPI errors when running remctl
While migrating my Kerberos servers from CentOS 6 to CentOS 7 I seem to have broken something on the current KDC and, despite several hours of trial-and-error and searching documentation, I cannot ...
- 51
1
vote
1
answer
2k
views
CentOS 7:Reoccurring failure in accessing AD member samba shares
I have a Samba 4.6.2 samba ActiveDirectory member server. Every month or so, all clients lose the ability to connect to all the shares. I can work around the issue by leaving the domain, deleting the ...
- 249
1
vote
1
answer
649
views
How to ensure encrypted OpenLDAP sessions using SASL/GSSAPI
I am running OpenLDAP 2.4 on a Debian jessie system. Clients typically connect to this LDAP server over port 389 using SASL/GSSAPI with our Kerberos infrastructure.
When a client connects using SASL/...
- 2,721
1
vote
1
answer
2k
views
GSSAPI on Linux when reverse DNS lookup doesn't match AD DNS suffix
I have CentOS 6 server that has been joined to Active Directory using Samba and net ads join -k.
It thus has a keytab like this:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- ---------------...
1
vote
1
answer
764
views
Can one config LDAP to accept auth from ssh-agent instead of from Kerberos?
[This question is not about getting your LDAP password to authenticate you for SSH logins. We have that working just fine, thank you :-) ]
Let's suppose you're on a Linux network (Ubuntu 11.10, slapd ...
- 551
0
votes
1
answer
3k
views
Getting javax.naming.CommunicationException: Connection reset and AD "event ID 1216" while trying to perform LDAP search using JNDI and GSSAPI
I am trying to analyze the reason for exceptions/ failures during the Ldap search. I am performing operations using JNDI on Active directory domain controller.
Here is the background for the things ...
0
votes
1
answer
2k
views
Strange Change in ssh behavior + LDAP
We have a cluster with a front node that admits normal users and LDAP users. Two days ago the ssh show a strange behavior:
The LDAP users can't login in the front node using password
but, The LDAP ...
- 2,159
0
votes
1
answer
6k
views
Bind LDAP simple authentication
I have a customer with LDAP that I can only log in with GSS-API enabled.
He doesn't know how to enable simple authentication.
How can I enable this in MS ActiveDirectory?
- 101
0
votes
2
answers
900
views
gssapi/kerberos/active directory/ubuntu - Wrong principal in request
I'm trying to setup a Clientserver with a Webservice to which Users of an Active Directory should be able to login with SSO.
I'm using SPNEGO with Kerberos on a Ubuntu 14.04 Server and nginx proxy to ...
- 11
0
votes
1
answer
1k
views
kdm and ssh detecting different fully qualified domain name when using kerberos authentication
I'm attempting to setup Kerberos login support (Windows AD domain providing the kerberos) for Kubuntu 12.04 Linux workstations at the company I'm at.
It's almost completely working but I can't get ...
0
votes
1
answer
342
views
Mail client with support for gssapi
I have configured Postfix and Cyrus Imap to enable SSO using Kerberos and GSSAPI.
I use Thunderbird as a mail client which supports GSSAPI but I wanted to try some other client also.
I tried ...
- 131
0
votes
1
answer
203
views
Error on trying to ssh to a prgmr box when using PuTTY like utility KiTTY
I recently got a box on prgmr. Excited, I tried to login using my username password in KiTTY (which is basically an improved PuTTY) and got the following error, shown in the screenshot.
Now, I can ...
- 103
0
votes
0
answers
45
views
How to use allow_nets extra field in dovecot using GSSAPI authentication?
I would like to use dovecot withs GSSAPI autentication using userdb with ldap backend. Is there any way on how to use passdb allow_nets extra attribute which is stored in ldap database?
Dovecot ...
- 1
0
votes
0
answers
203
views
Apache2 with GSSAPI auth, can't exclude one location from auth
We have an apache2 serving a PHP application, with kerberos authentication
We developed an API within the PHP application, and we want to access it without Kerberos auth
But we cannot manage to ...
- 1
0
votes
1
answer
411
views
Passthrough Windows AD authentication with LAMP GSSAPI/Kerberos
Trying to stand up a LAMP server on a Windows AD and get passthrough authentication working. One gotcha (which may not be as big of a deal as I'm making it), the hostname and hosted URL do NOT match: ...
0
votes
2
answers
633
views
Can't determine the principal used to LDAP syncrepl GSSAPI
I've configured two openldap fully functional in HA (syncrepl mode provider - slave).
After testing that simple bind syncrepl works flawlessly, I'm trying to deploy from scratch using only GSSAPI to ...
- 35
0
votes
1
answer
361
views
Azure ADDS and GSSAPI
How can I configure Azure AD Domain Services to support GSS negotiation?
I see that in the on-premises AD it can be configured to "Require signature" to negotiate the authentication ...
- 11
0
votes
1
answer
1k
views
NSS query against OpenLDAP server using GSSAPI with proxy authorization
SASL/GSSAPI needs Kerberos authentication against the LDAP server with proxy authorization if using LDAP authentication with nss-pam-ldapd on a Debian Buster operating system. I try to configure this ...
- 485
0
votes
1
answer
2k
views
How to setup SASL Proxy Authorization with an OpenLDAP server on Debian
For Kerberos Authentication together with SASL/GSSAPI Authorization on client devices I need Proxy Authorization on an OpenLDAP server running on Raspberry Pi with Debian/Raspbian Buster. I tried to ...
- 485
0
votes
1
answer
1k
views
nginx - prevent caching authorization info
I am using nginx as reverse proxy for my asp.net core web application. I am using spnego module for nginx for supporting of windows integrated authentication.
It is works, but if user enters incorrect ...
- 101
0
votes
1
answer
1k
views
unable to authenticate with kerberos to ipa client from windows 10 machine
I have a domain joined windows 10 computer trying to authenticate via kerberos to an ipa (4.4.0) client (centos 7.2), I can authenticate with user/pass and then kinit but I cannot seem to authenticate ...
- 8,076
0
votes
0
answers
853
views
Why is my sshd looking for a wrong kvno in keytab?
My FreeBSD box is using Heimdal Kerberos-implementation. It is registered with the corporate AD, its msDS-KeyVersionNumber-attribute is set to 2, and its keytab has the following entries:
FILE:/etc/...
- 2,411