Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1197 questions
11
votes
4 answers

Multiple Realms and Multiple TGTs under MIT Kerberos for Windows

My local computer uses Windows 7 Pro and belongs to realm LR, managed by AD servers. I login to my computer while attached to that realm's network. I can view the TGT with MIT Kerberos for Windows ver. 4.0.1. I want to access resources on a foreign…
Toddius Zho
  • 260
9
votes
2 answers

Kerberos: Separating AS and TGS

In Kerberos, the Authentication Server (AS) and the Ticket Granting Server (TGS) are generally implemented on the same server. This machine is called the Key Distribution Center (KDC). Surely, it makes sense to implement these services on the same…
Misch
  • 193
  • 1
  • 5
9
votes
1 answer

How to Change the Kerberos Default Ticket Lifetime

Our KDC servers are running either Ubuntu Dapper (2.6.15-28) or Hardy (2.6.24-19). The Kerberos software is the MIT implementation of Kerberos 5. By default, a Kerberos ticket lasts for 10 hours. However, we'd like to increase it a bit (e.g. 14…
user40497
  • 221
  • 1
  • 2
  • 5
6
votes
7 answers

kinit: Cannot contact any KDC for realm 'UBUNTU' while getting initial credentials

I am installing Kerberos5-1.12.1 on ubuntu machine with these instructions. Whenever i am trying to do : kinit user1 I am facing an error: kinit: Cannot contact any KDC for realm 'UBUNTU' while getting initial credentials Below are my krb5.conf…
user3279174
  • 69
4
votes
1 answer

Kerberos - Maximum renewable lifetime

I am trying to set the maximum renewable lifetime of the issued Kerberos tickets to 365 days, however, the following changes that I have made seem to be ignored: Inside /etc/krb5.conf: [libdefaults] ... renew_lifetime =…
sacrum_victum
  • 61
4
votes
1 answer

Kerberos says there is no KDC at my server's location while getting initial credentials

This is probably some stupid error I've overlooked, but I've been working on this on and off for about a week. Running version 1.10.3 release 17.fc18 This is my krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc =…
Niles
  • 141
  • 1
  • 1
  • 5
3
votes
1 answer

how can I restrict kerberos service tickets by group?

I have multiple Linux servers all configured to allow kerberos authentication with active directory. All other user and group attributes reside in a separate directory server (389). I am able to log in and fetch user information (getent passwd, id,…
Darren
  • 31
3
votes
1 answer

Kerberos Ticket Expiry what happens?

I have noticed a couple of messages about my Kerberos credentials expiring. What does this actually mean and what will happen when they expire? How do I renew them? Is it just a case of logging in again? -bash-3.00$ Message from…
pjp
  • 133
3
votes
2 answers

Meaning of Kerberos e-data field value

I'm using Kerberos on Windows (non-Windows software generates the token) and have been trying to debug a problem. In a network trace, I can see KRB5KRB_ERR_GENERIC is being returned by the IIS server. The e-data field is supposed to contain a…
snibbets
  • 131
3
votes
2 answers

Why do kerberos HOWTOs specify to copy keytabs securely to the host? Is networked kadmin not secure?

Kerberos HOWTOs often have words similar to these: Securely transfer (via flash drive, disk, or encrypted connection) the keytab to the client host. Is logging in on the client host as root, running kinit to get credentials for an administrative…
lmz
  • 379
3
votes
1 answer

Use a preferred username but authenticate against Kerberos principal

What I desire to do should be pretty simple. I have an Ubuntu 10.04 box. It's currently configured to authenticate users against a kerberos realm (EXAMPLE.ORG). There is only one realm in the krb5.conf file and it is the default…
Jason R. Coombs
  • 999
2
votes
1 answer

Does Kerberos provide Encryption of Application Session data?

I understand kerberos provides authentication using encryption. I see it exchanges session keys. Are those session keys used for applications send their data over that network encryption after authentication is performed? For an example to…
jouell
  • 621
2
votes
1 answer

How does a Kerberos Client determine the Service Name portion of an SPN?

If I deploy a server call FOO/host.example.com@myrealm how does a client become aware that the service name is FOO? ENV: Unix / MIT kerberos 1.4 or 1.10 I see windows has some sort of mapping: How exactly does the HOST/machine SPN work?, what…
jouell
  • 621
2
votes
1 answer

Why doesn't purging kerberos tickets work on a domain controller?

To get a computer to update its group memberships without rebooting the computer, you can purge kerberos tickets with the command klist -li 0x3e7 purge. A subsequent gpupdate or gpresult will reflect the new group memberships. However, this does not…
Appleoddity
  • 3,860
  • 2
  • 13
  • 35
1
vote
0 answers

Kerberos slave doesn't update his Master KDC DB fields

Since we've put in place a Master/Slave for our Kerberos, we've noticed that our fields doesn't get updated (Information wise) Last password change: Fri Aug 02 10:18:08 GMT 2019 Last modified: Fri Aug 02 10:18:08 GMT 2019…
Tolsadus
  • 1,193
1
2 3