Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

RFC Kerberos - http://www.faqs.org/rfcs/rfc1510.html
Kerberos Blogs by AD support team at Microsoft - http://blogs.technet.com/b/askds/archive/tags/Kerberos/
Kerberos blogs by Open Specification team at Microsoft - http://blogs.msdn.com/b/openspecification/archive/tags/Kerberos/
Ubuntu Linux post on Kerberos - https://help.ubuntu.com/community/Kerberos

1168 questions

votes

4 answers

Running a Windows service under a domain user account

If I run a Windows service on some host under a domain user account, and the password for this account changes at some later point, will the service now fail to start, until you update the password? If not, how are the credentials for the domain…

asked Jan 21 '10 at 21:20

BeeOnRope

votes

3 answers

ldapsearch and kerberos authentication

I can successfully connect and search to an Active Directory domain controller using ldapsearch. I am using the -x option, to specify a username/password authentication (password being specified by -W and username by -D). I currently need to dump…

debian kerberos

asked Apr 20 '17 at 09:46

philippe

2,303
4
32
53

votes

1 answer

Set up a Windows 10 Client for a Linux KDC Realm

I set up a KDC Server and created a Realm EXAMPLE.COM. Here is my krb5.conf file: [libdefaults] renew_lifetime = 7d forwardable = true default_realm = EXAMPLE.COM ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false …

linux windows kerberos hadoop

asked Dec 01 '16 at 14:31

D. Müller

votes

1 answer

Does ActiveDirectory support Kerberos user principle instances?

User principle instance has format username/instance@REALM and separate password. According to some sources it's possible to create such principles in MIT Kerberos. Does ActiveDirectory support this Kerberos feature?

active-directory kerberos

asked Aug 09 '16 at 18:00

olmstad

votes

2 answers

creating an SPN from a linux build server

I'm setting up a process which would automatically create the SPNs for newly exposed service URLs. I am aware of how to create an SPN with Windows using the setspn -A command with the right priviliges. As my build server is running on Linux, I…

active-directory kerberos spn

asked Apr 15 '16 at 20:50

Balint Pato

votes

1 answer

Is it possible to use Kerberos over TLS through sssd?

Background I am trying to log in (via SSH, to an Amazon Linux EC2 instance running sssd) as users that I've created in my AWS Directory Services Simple AD. I am authenticating with Kerberos and identifying the user with LDAP (all through sssd.) I…

kerberos tls pam amazon-elb sssd

asked Dec 31 '15 at 18:55

2rs2ts

votes

1 answer

Creating keytabs and service principal names

I'm trying to set up a keytab for a Java server to support Kerberos authentication on a Windows network. I'm struggling to get it working even at the level of the command line tools, haven't even got as far as the server setup yet! My plan just…

spn kerberos

asked Oct 01 '09 at 11:44

user21693

votes

1 answer

Does Active Directory's Kerberos implementation support per-user ticket lifetime settings?

With MIT Kerberos, the kadmin utility supports the creation of principals that have an explicit maximum ticket lifetime and renewal lifetime (-maxlife and -maxrenewlife arguments for add_principal) which may be different than the realm's default…

active-directory kerberos

asked Aug 14 '14 at 18:37

Ryan Bolger

16,755
4
42
64

votes

1 answer

Can't change password of FreeIPA admin - "Current password's minimum life has not expired"

We have a FreeIPA-based system, admin's password has expired and needs to be changed but the standard password changing procedure over SSH fails: sashka@cellar ~ ssh admin@ipa.xxxxxxxxxx.com admin@ipa.xxxxxxxxxx.com's password: Password expired.…

kerberos freeipa

asked Jun 30 '14 at 12:26

Alex

7,939
6
38
52

votes

2 answers

NetApp erroring with: STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Since a sitewide upgrade to Windows 7 on desktop, I've started having a problem with virus checking. Specifically - when doing a rename operation on a (filer hosted) CIFS share. The virus checker seems to be triggering a set of messages on the…

windows kerberos ntlm netapp

asked May 19 '14 at 09:11

Sobrique

3,747
2
15
36

votes

4 answers

0x19 KDC_ERR_PREAUTH_REQUIRED in my event log

So I have a server, and every time a user or service account logs on to the machine, an error event is generated in the System log: A Kerberos Error Message was received: on logon session DOMAIN\serviceaccount Client Time: Server Time:…

windows active-directory kerberos

asked Oct 09 '12 at 14:48

Ryan Ries

55,481
10
142
199

votes

2 answers

ActiveDirectory Kerberos keytab unusable from Linux

I am configuring Kerberos authentication for Alfresco CIFS protocol fully implemented in Java (JLAN project). That is not the first time, I used to set it up right in a single shot. In the same network, with an ActiveDirectory Windows 2008R2 and the…

linux windows-server-2008-r2 kerberos

asked Mar 15 '12 at 20:28

Yves Martin

votes

1 answer

Best practice for authenticating DMZ against AD in LAN

We have few customer facing servers in DMZ that also have user accounts , all accounts are in shadow password file. I am trying to consolidate user logons and thinking about letting LAN users to authenticate against Active Directory.Services…

linux active-directory authentication kerberos

asked Jul 02 '09 at 22:12

Sergei

1,226
16
25

votes

2 answers

debian: cannot change password

As the root user, I can change the password: hussie:/home/claudiu# passwd Enter new password: Retype new password: passwd: password updated successfully As a non-root user I cannot: claudiu@hussie:~$ passwd Current Kerberos password: passwd: User…

debian password kerberos pam

asked Dec 12 '11 at 16:45

Claudiu

1,207
5
21
28

votes

1 answer

Renewing kerberos ticket without user intervention

We have found the most excellent program that that will allow our OSX machines to print through our Windows Print servers. (ksmbprint from http://deploystudio.com/) The program allows for smb printing with to the servers through kerberos…

active-directory mac-osx printing kerberos

asked Oct 22 '10 at 02:04

eric.s

Prev 1 2 3

…

77 78 Next