7 More Discussions You Might Find Interesting
1. HP-UX
We have two HP-UX machines, both are B.11.31.
When I FTP from the HP-UX boxes to a remote IBM server,-
HP-UX 1:
Connected to xxxx.
220-FTPD1 IBM FTP CS V1R12 at R2, 12:24:39 on 2013-08-30.
220 Connection will close if idle for more than 15 minutes.
Name (xxxx:user):
HP-UX 2:... (2 Replies)
Discussion started by: CaptNemo
2 Replies
2. Slackware
I have a postfix/dovecot mail server.
On centos6 works great,sso with gssapi on linux and windows clients.
On Slackware i have problems,Linux clients(thunderbird and mutt) connect ok,but not windows clients.
on logfile only this
Apr 19 19:01:41 cluster1 dovecot: auth: Debug: auth client... (0 Replies)
Discussion started by: Linusolaradm1
0 Replies
3. Shell Programming and Scripting
Hello
I hope somebody can help with this.
I have a shell, that in case of failure, sends an email (relaying through an Exchange Server). This Exchange server only offers NTLM authentication.
250-AUTH NTLM
This is the configuration I have:
Postfix 2.1.1 as client.
Cyrus-SASL... (1 Reply)
Discussion started by: viktor1985
1 Replies
4. UNIX for Dummies Questions & Answers
Hello
I hope somebody can help with this.
I have a shell, that in case of failure, sends an email (relaying through an Exchange Server). This Exchange server only offers NTLM authentication.
250-AUTH NTLM
This is the configuration I have:
Postfix 2.1.1 as client.
Cyrus-SASL... (1 Reply)
Discussion started by: viktor1985
1 Replies
5. Red Hat
Hi Experts,
While trying ftp from newly setup Linux box it is giving following error.
GSSAPI error major:Unspecified GSS failure.Minor code may provide more information
GSSAPI error minor:Unknown code krb5 195
GSSAPI error:initializing context
GSSAPI authntication failed
504 AUTH... (1 Reply)
Discussion started by: sai_2507
1 Replies
6. Red Hat
On Debian i set my ldap server,using tls and all works ok.
On Redhat i have set my ldap server,using tls ok...but
when i try to use ldapsearch without -x and with rootpw(created with slappasswd) it ask for sasl password!
The question is: is possible to disable sasl?
Thanks (2 Replies)
Discussion started by: Linusolaradm1
2 Replies
7. Solaris
Configure ldap client:
I have configured my ldapclient with the AuthenticationMethod=simple and with the credentialLevel=proxy. However, as soon as i want to set the AuthenticationMethod=sasl/GSSAPI, and credentiallevel=self, then it fails to configure. Kerberos is already setup successfully. The... (0 Replies)
Discussion started by: Henk Trumpie
0 Replies
GSSAPI(3) BSD Library Functions Manual GSSAPI(3)
NAME
gssapi -- Generic Security Service Application Program Interface library
LIBRARY
GSS-API Library (libgssapi, -lgssapi)
DESCRIPTION
The Generic Security Service Application Program Interface (GSS-API) provides security services to callers in a generic fashion, supportable
with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments.
The GSS-API implementation in Heimdal implements the Kerberos 5 and the SPNEGO GSS-API security mechanisms.
LIST OF FUNCTIONS
These functions constitute the gssapi library, libgssapi. Declarations for these functions may be obtained from the include file gssapi.h.
Name/Page
gss_accept_sec_context(3)
gss_acquire_cred(3)
gss_add_cred(3)
gss_add_oid_set_member(3)
gss_canonicalize_name(3)
gss_compare_name(3)
gss_context_time(3)
gss_create_empty_oid_set(3)
gss_delete_sec_context(3)
gss_display_name(3)
gss_display_status(3)
gss_duplicate_name(3)
gss_export_name(3)
gss_export_sec_context(3)
gss_get_mic(3)
gss_import_name(3)
gss_import_sec_context(3)
gss_indicate_mechs(3)
gss_init_sec_context(3)
gss_inquire_context(3)
gss_inquire_cred(3)
gss_inquire_cred_by_mech(3)
gss_inquire_mechs_for_name(3)
gss_inquire_names_for_mech(3)
gss_krb5_ccache_name(3)
gss_krb5_compat_des3_mic(3)
gss_krb5_copy_ccache(3)
gss_krb5_extract_authz_data_from_sec_context(3)
gss_krb5_import_ccache(3)
gss_process_context_token(3)
gss_release_buffer(3)
gss_release_cred(3)
gss_release_name(3)
gss_release_oid_set(3)
gss_seal(3)
gss_sign(3)
gss_test_oid_set_member(3)
gss_unseal(3)
gss_unwrap(3)
gss_verify(3)
gss_verify_mic(3)
gss_wrap(3)
gss_wrap_size_limit(3)
COMPATIBILITY
The Heimdal GSS-API implementation had a bug in releases before 0.6 that made it fail to inter-operate when using DES3 with other GSS-API
implementations when using gss_get_mic() / gss_verify_mic(). It is possible to modify the behavior of the generator of the MIC with the
krb5.conf configuration file so that old clients/servers will still work.
New clients/servers will try both the old and new MIC in Heimdal 0.6. In 0.7 it will check only if configured - the compatibility code will
be removed in 0.8.
Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this will change in 0.7 to generate correct des3 mic.
To turn on compatibility with older clients and servers, change the [gssapi] broken_des3_mic in krb5.conf that contains a list of globbing
expressions that will be matched against the server name. To turn off generation of the old (incompatible) mic of the MIC use [gssapi]
correct_des3_mic.
If a match for a entry is in both [gssapi] correct_des3_mic and [gssapi] broken_des3_mic, the later will override.
This config option modifies behaviour for both clients and servers.
Microsoft implemented SPNEGO to Windows2000, however, they managed to get it wrong, their implementation didn't fill in the MechListMIC in
the reply token with the right content. There is a work around for this problem, but not all implementation support it.
Heimdal defaults to correct SPNEGO when the the kerberos implementation uses CFX, or when it is configured by the user. To turn on compati-
bility with peers, use option [gssapi] require_mechlist_mic.
EXAMPLES
[gssapi]
broken_des3_mic = cvs/*@SU.SE
broken_des3_mic = host/*@E.KTH.SE
correct_des3_mic = host/*@SU.SE
require_mechlist_mic = host/*@SU.SE
BUGS
All of 0.5.x versions of heimdal had broken token delegations in the client side, the server side was correct.
SEE ALSO
krb5(3), krb5.conf(5), kerberos(8)
BSD
April 20, 2005 BSD