Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

The meek shall inherit the earth; the rest of us, the Universe.

devel / comp.protocols.kerberos / Re: unexpected failure for GSS Pg server

SubjectAuthor
o Re: unexpected failure for GSS Pg serverDameon Wagner

1
Re: unexpected failure for GSS Pg server

<mailman.33.1645121053.8148.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=223&group=comp.protocols.kerberos#223

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: dameon.wagner@it.ox.ac.uk (Dameon Wagner)
Newsgroups: comp.protocols.kerberos
Subject: Re: unexpected failure for GSS Pg server
Date: Thu, 17 Feb 2022 18:03:36 +0000
Organization: University of Oxford IT Services
Lines: 55
Message-ID: <mailman.33.1645121053.8148.kerberos@mit.edu>
References: <CAOLfK3WxoVrNQdwjtoM9tv1ED_6c5C8vAWDB38OVWZBYTnV9Lg@mail.gmail.com>
<CAOLfK3VPayYwxxDqQMH3urg3kL3=sKfsTkDkVphCJP9KDEq6=w@mail.gmail.com>
<20220208230121.ofmo6nj6k6gra4dn@maia.oucs.ox.ac.uk>
<CAOLfK3Xki=zKNgwBVXwhHM0EXgbd+rchq_KY=e6b3Btvj6PcKA@mail.gmail.com>
<20220217180336.ybku3tnsndm3gvux@maia.oucs.ox.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="8858"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: NeoMutt/20170113 (1.7.2)
To: kerberos <kerberos@mit.edu>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=IWa93deIhBIO/n6SP3BOIzx6mv/HvnZin9fAt0DD/8wk1HP2TKKL/9mc6XAEqzJdq4eVtGmwQgY4LWpPF8hdZ4oXEgHCJysPu0BQUlAcSKjtukM7d4QKMbPhqwrFbsVWtxp80ec/QZbTNuTD+On6+SLupoXou7njGaXnXRGU5jFXYa8aak67N/UjvRgaBN1WAwAhgXGhh+EoJMLl+iu2RRdlgK+pVJxtIsjxinZBoPTFFQXMt+Ry2ReMyjsRD5+v7vIszDQgMyR5dAhutlSZSM6HY/vjZKLS4qSKtj/UA3cE4Zkv3wofS5d4fSoqb+lgMqAF5N8AYc4ZM9WaYR+/7w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=EUbeg1TCVj91zkqtSZlJhJzSduHRRrHOSQwuVd7QVhE=;
b=bbRzHPggnO/r+FFHb5ys4ZTGW1ycbLQpsrDarAyFwe8719cfriFSTxFT+oJ72GSG6T9PTYo5nXxh3MxF1onx7Mxkj0l0VaT5bk6AqHyHtc6iR86zRV4zVM0WPNYNQYAUaQE4ZCjvNmqSnWVk2oresjWQgwrFo8/DqGbn8XqYgqphWh0pSDwp1jsEDNCSzc//ZLfT7cZi/P9oirjqqtzj1ZCTESnHb1KoGPh5tq9pqSxTMOTkJxkG7wWF8evMbceemYVf9gpjkghQ8HwJOt44DJNEOjlaABY1IZS1XjStNmw5v7iM6B/wiEtPw+qyFV6oNAiXBli0PHaZiBwwIZgQPQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
129.67.1.165) smtp.rcpttodomain=mit.edu smtp.mailfrom=it.ox.ac.uk;
dmarc=bestguesspass action=none header.from=it.ox.ac.uk; dkim=none (message
not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=EUbeg1TCVj91zkqtSZlJhJzSduHRRrHOSQwuVd7QVhE=;
b=hivsWDJUVWojfp3PXcIupUjTM9MedCAiunyiQWh2WpHZ2DqgH2H9YAO0eZwVaAgF0OneimQRBwzfq2qBtcG+gPfv2JG4xmzzq/lg0OkSc+kh0wOORMhTcGBAIngz5c1V5d5Rgxxg7JGhm0gYVVyd7HQKz8SiSTXWAkCG5mdocoo=
Authentication-Results: spf=pass (sender IP is 129.67.1.165)
smtp.mailfrom=it.ox.ac.uk; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=it.ox.ac.uk;
Received-SPF: Pass (protection.outlook.com: domain of it.ox.ac.uk designates
129.67.1.165 as permitted sender) receiver=protection.outlook.com;
client-ip=129.67.1.165; helo=relay17.mail.ox.ac.uk;
Content-Disposition: inline
In-Reply-To: <CAOLfK3Xki=zKNgwBVXwhHM0EXgbd+rchq_KY=e6b3Btvj6PcKA@mail.gmail.com>
X-Clacks-Overhead: "GNU Sally Wagner, GNU Terry Pratchett"
X-Canine: dog
X-Oxford-Username: oucs0146@OX.AC.UK
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 170d769c-adad-4c27-499a-08d9f23fd34e
X-MS-TrafficTypeDiagnostic: CH0PR01MB7080:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <CH0PR01MB7080B4CEE53E45418DBD4412E8369@CH0PR01MB7080.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: gYkvNWG3Kv0Ozfv/tqWppqfSIdtt5gzTMJ/7iadBxJdSKiIInhV6C+wi/deVb5aMOsc31uLWtJwZXLEKM+1MQK+SiYgaPsg1e9MuMEivEKBFyqBmpPvAGxHkuN7IlLGvxL909WQ/dU9/d3nzHyDpl0lDaKdXVtQ9Dva9YR/6S2HNu0sa/46Ne6n+xfKA3LnR/w5KIrHE9XWQ8ZR/hrdUOEAYWmqId7fuKi5NJFen/GqKP6/PlyIHuV8OFKIZjIGJpMhEHzWJgHc9JNJXRlHotnR3zuWwXpH5QKO4gFuQDmGFx8suwI+j7edS0F+MOYoGh/JzRjhD9101zh1SBBIemenjV3yv8AqwyNNu3+nru4Z+h0JnPTkoTLGZkfJdG9P29TNxczy7ypIIGxaI1YhBw/os+PBSwhMb1r0HwrSDuGN2ZMsk0gyaFgQHzbRDJTL6X1bZC7EZ4Snz9h6pwnw8aheOouWW4ze4zheVq92nXCtWTaeoxB/fx/jdIW0oq/J/GMWa3gpMhhKwr5QlpcI3qm9iE1N/OfTrjgzs3TyYCBMXKJFadjKfGhXoY7ck/sMpZqZkccBvGipBF0gETAAo4jQdYLQHPJkfwl9fAoqp2td/ybHKPhjbk7pdP3H5lXKr
X-Forefront-Antispam-Report: CIP:129.67.1.165; CTRY:GB; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:relay17.mail.ox.ac.uk; PTR:relay17.mail.ox.ac.uk;
CAT:NONE;
SFS:(13230001)(4636009)(336012)(26005)(1076003)(70586007)(55016003)(9686003)(53546011)(508600001)(786003)(356005)(316002)(7696005)(7596003)(44832011)(956004)(6966003)(9786002)(68406010)(2906002)(83380400001)(86362001)(8676002)(5660300002)(36916002)(6862004);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2022 18:03:39.1620 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 170d769c-adad-4c27-499a-08d9f23fd34e
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT056.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR01MB7080
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <20220217180336.ybku3tnsndm3gvux@maia.oucs.ox.ac.uk>
X-Mailman-Original-References: <CAOLfK3WxoVrNQdwjtoM9tv1ED_6c5C8vAWDB38OVWZBYTnV9Lg@mail.gmail.com>
<CAOLfK3VPayYwxxDqQMH3urg3kL3=sKfsTkDkVphCJP9KDEq6=w@mail.gmail.com>
<20220208230121.ofmo6nj6k6gra4dn@maia.oucs.ox.ac.uk>
<CAOLfK3Xki=zKNgwBVXwhHM0EXgbd+rchq_KY=e6b3Btvj6PcKA@mail.gmail.com>
 by: Dameon Wagner - Thu, 17 Feb 2022 18:03 UTC

On Wed, Feb 16 2022 at 19:58:27 -0600, Matt Zagrabelny scribbled
in "Re: unexpected failure for GSS Pg server":
> On Tue, Feb 8, 2022 at 5:03 PM Dameon Wagner <dameon.wagner@it.ox.ac.uk>
> wrote:
>
> >
> > Armed with that information, the most likely solution would be to
> > extract a fresh keytab (using either the kadmin "ktadd" subcommand, or
> > the handy `k5srvutil` command).
> >
>
> Thanks for the detailed instructions, Dameon!
>
> Do you know why performing the ktadd increases the kvno? I believe that is
> what tripped me up. I thought I was just "re-exporting" the key from the
> KDC.

Always happy to help :)

The default behaviour of "ktadd" has always been to increment the kvno
of the principal, as it's effectively a password change (though using
a random key instead).

If you are in the position of really really needing to export a keytab
with the existing key(s) in it, you can, on the master KDC host, use
the `kadmin.local` command. Once there, you can run the "ktadd"
subcommand as before, but with the additional "-norandkey" option
(which I believe is only available via `kadmin.local`). The downside
of this though is that you're then responsible for securely
transferring the keytab to the remote host that ultimately needs it.

> >
> > It may appear a bit old, but the O'Reilly book is still a classic
> > resource for becoming familiar with Kerberos and how it functions.
> >
>
> Ha! Yup! That book is in the office and I have been WFH for the last two
> years. :/

I'm in the same boat, so know the feeling well. Thankfully have my
own copy at arms reach.

Back in the office soon though (which will be rather strange), with a
more extensive library available :)

Cheers.

Dameon.

--
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner, Unix Platform Services
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><

devel / comp.protocols.kerberos / Re: unexpected failure for GSS Pg server

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor