Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1168 questions
0
votes
0 answers

Authentication Uses NTLM instead of Kerberos

We have transfered our site (httpd+nginx+php) from simple host with 3 containers to kuber cluster. And after that for some reason SSO has stopped working. Kerberos and samba configs are the same, AD domain is the same. Simple kerberos login with…
0
votes
0 answers

Apache with SSO and group-based authentification

I would like to configure SSO in Apache incl. group-based authentication. It means that users, who are a member of a particular group, should be able to log in to the website without entering the login data. Users, who aren't a member of the group,…
0
votes
0 answers

KRB5KRB_AP_ERR_MODIFIED trying to use SPN credentials

I'm trying to set up a Windows 2019 system as an SMB server to work with third-party software on an external, non-Windows system that uses Kerberos to authenticate to the SMB server. This SMB server is joined to an existing Active Directory domain…
0
votes
0 answers

NFSv4 with Kerberos takes a long time to mount

I have an NFS server with Kerberos authentication (Debian 11). If I want to mount a share on a client for the first time after a restart, this takes 10-12 seconds. If I then mount another share from the same server, it works almost immediately. NFS…
Nick
  • 1
0
votes
0 answers

How can I detect a Kerberos authentication to execute a command

I would like to execute a command every time a user is authenticating on the server. As for now, the only way I can "detect" a valid authentication is by looking at the logs in /var/log/auth.log. As logs are not meant to be used as triggers, I'd…
Bnr
  • 1
0
votes
1 answer

FreeIPA and Kerberos [Cannot contact any KDC for realm while getting initial credentials]

I hope this is the correct forum to ask. We run a cluster (Centos 7) using FreeIPA for account management. On Sunday the IPA server suddenly restarted and since then, users are no longer able to login via ssh and Kerberos credentials can no longer…
Yannick
  • 1
  • 3
0
votes
0 answers

Apache2 SSO mod_auth_kerb An unsupported mechanism was requested

I am using a Windows 2022 Server running the active directory (server.local) and a Debian 10 Server running Apache. When accessing the Site with Chrome or Internet Explorer it returns a 401 Status Code and the error.log has…
dwaltsch
  • 1
  • 2
0
votes
1 answer

Access kerberized ressources from cron job using a keytab

I'm on Ubuntu 22.04 which is joined to an Active Directory 2016 by sssd. I have access to several network ressources through kerberos: file shares, oracle and postgres databases. All is good. But I also want to be able access these ressources from a…
0
votes
0 answers

RHEL8 and GSSAPI Kerberos authenticate through Apache issue

I'm trying to run an apache virtualhost, on a machine currently running Red Hat Enterprise Linux release 8.5 (Ootpa), with Kerberos authentication using the new GSSAPI module (replacement of mod_auth_kerb). I also configured LDAP directives to…
Wrest
  • 11
  • 1
  • 3
0
votes
0 answers

Validating credentials in PowerShell wont use Kerberos

In reality I'm debugging a C# app but since the same command is possible in PowerShell I'm trying there. I am trying to validate user accounts using the following in PowerShell: > Add-Type -AssemblyName System.DirectoryServices.AccountManagement >…
0
votes
1 answer

ksetup - Failed /GetEncTypeAttr : 0xc0000034

On the DC of a single-AD forest, I am logged in as the default domain administrator Administrator (in this case also the enterprise administrator). In an elevated PowerShell, I try to get the Kerberos encryption types with the following command (as…
0
votes
1 answer

How can I set the 'The other domain supports Kerberos AES Encryption' setting programmatically?

In the GUI (Active Directory Domains and Trusts MMC Snap-in (domain.msc)), you can set the "The other domain supports Kerberos AES Encryption" setting for a trust relationship: I am looking for a way to set this setting programmatically. I already…
0
votes
0 answers

When is mapUser required -

I'm not sure I understand when & why mapUser is needed. When you generate a keytab with ktpass you can map the Service Principal to a user wit mapUser. You can then kinit to the Service from an other machine using that keytab. When trying the same…
0
votes
0 answers

Which Cipher Is Being Used To Encrypt NFSv4 With "sec=krb5p"?

I am using NFSv4 with sec=krb5p encryption enabled on a CentOS 7 client & server. My NFS shares mount flawlessly at boot-time, and when I query my keytab file I am able to view the list of available ciphers, as so... # klist -ke Keytab name:…
Will
  • 11
  • 4
0
votes
1 answer

NFSv4 and kerberos: access denied 50% of the time

We are trying to mount NFSv4 shares on RHEL 8 clients, with kerberos. We have a very similar setup on another environment, and it worked fine. But on this setup, it happens that we get access denied around 50% of the times we try to mount a share: #…