Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [gssapi]

53 questions
1
vote
0 answers

GSSAPI errors when running remctl

While migrating my Kerberos servers from CentOS 6 to CentOS 7 I seem to have broken something on the current KDC and, despite several hours of trial-and-error and searching documentation, I cannot figure out what happened. When a user logs in using…
scarville
  • 51
  • 6
1
vote
2 answers

Dovecot IMAP authenticating proxy using Kerberos/GSSAPI

I'm trying to set up Dovecot as authenticating reverse proxy, in front of an already running IMAP server to accomplish the following: Have Dovecot authenticate users using Kerberos/GSSAPI (to allow Single-Sign-On). If properly authenticated, have…
gertvdijk
  • 3,504
  • 4
  • 30
  • 46
1
vote
1 answer

CentOS 7:Reoccurring failure in accessing AD member samba shares

I have a Samba 4.6.2 samba ActiveDirectory member server. Every month or so, all clients lose the ability to connect to all the shares. I can work around the issue by leaving the domain, deleting the machine account, and re-joining the domain, but…
Charlweed
  • 249
  • 3
  • 14
1
vote
1 answer

What does GSSAPI "Message stream modified" error mean?

I'm having trouble completing a bind to our LDAP servers on Centos 7.1 servers. Manual bind works, but ldapsearch fails with an error: sssd_be: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Message stream…
Juan Jimenez
  • 870
  • 1
  • 7
  • 13
1
vote
1 answer

How to ensure encrypted OpenLDAP sessions using SASL/GSSAPI

I am running OpenLDAP 2.4 on a Debian jessie system. Clients typically connect to this LDAP server over port 389 using SASL/GSSAPI with our Kerberos infrastructure. When a client connects using SASL/GSSAPI, how should they connect to be sure that…
user35042
  • 2,681
  • 12
  • 34
  • 60
1
vote
1 answer

GSSAPI on Linux when reverse DNS lookup doesn't match AD DNS suffix

I have CentOS 6 server that has been joined to Active Directory using Samba and net ads join -k. It thus has a keytab like this: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ----…
Magnus Gustavsson
  • 151
  • 7
1
vote
1 answer

Mongodb + Kerberos BadValue SASL mechanism GSSAPI is not supported

I am trying to run an instance of mongodb with the authentication mechanism GSS-API. This is the command: mongod --dbpath /home/ec2-user/db/node2/data --auth --setParameter authenticationMechanisms=GSSAPI And this is the error that I get: F…
Adrian
  • 141
  • 1
  • 6
1
vote
1 answer

Can one config LDAP to accept auth from ssh-agent instead of from Kerberos?

[This question is not about getting your LDAP password to authenticate you for SSH logins. We have that working just fine, thank you :-) ] Let's suppose you're on a Linux network (Ubuntu 11.10, slapd 2.4.23), and you need to write a set of utilities…
Alex North-Keys
  • 541
  • 4
  • 6
1
vote
2 answers

How do I use ldapsearch with a cross-realm ticket?

kinit user@DOMAIN.TLD klist -afe Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: user@DOMAIN.TLD Valid starting Expires Service principal 08/04/11 13:14:53 08/05/11 01:14:53 krbtgt/DOMAIN.TLD@DOMAIN.TLD renew…
84104
  • 12,905
  • 6
  • 45
  • 76
1
vote
1 answer

Troubleshooting Apache with GSS Proxy Authentication and LDAP Authorization

I'm setting up an internal web server on a domain-joined RHEL server with Kerberos authentication via GSS proxy and tiered authorization with LDAP, where Active Directory is the source of truth. Kerberos and the authentication piece is working fine,…
Vaito
  • 21
  • 4
1
vote
2 answers

Setup SSH-Jumphost | Proxyjump with freeIPA and Kerberos-Tickets

I want to setup a bastion (ssh jumphost) to access the network behind a firewall. Both server are in a freeIPA domain. The client is a user machine and is not part of the IPA domain. Internet/client —> SSH-Jumphost —> login-node My plan is to login…
rbn_hln
  • 11
  • 2
1
vote
1 answer

SSH will not use password authentication, still tries disabled methods

I'm running Fedora 36 Workstation with OpenSSH server 8.8p1. I want to log on a single remote user and authenticate with their password, but OpenSSH seems determined not to let me. I've tried every solution I can find online. Most of them seem to…
tmoore82
  • 111
  • 5
1
vote
0 answers

curl not sending credentials during negotiation

We have a Jenkins server that uses Kerberos-SSO, with a fallback to Basic if SSO is not configured on the browser or using curl. When I use curl with the --negotiate argument, however, it doesn't send basic credentials information when asked for it…
Sagar
  • 534
  • 3
  • 7
  • 21
1
vote
1 answer

Authenticating Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory

I'm looking for below configurations for GSSAPI authentication with Apache 2.4 for Active directory: 1. How to configure Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory? Is there any documentation OR POC example stating…
Rohit Gaikwad
  • 131
  • 1
  • 6
0
votes
1 answer

NSS query against OpenLDAP server using GSSAPI with proxy authorization

SASL/GSSAPI needs Kerberos authentication against the LDAP server with proxy authorization if using LDAP authentication with nss-pam-ldapd on a Debian Buster operating system. I try to configure this on my Raspberry Pis to have single sign on but…
Ingo
  • 416
  • 5
  • 13
1
2
3 4