Search results
From K5Wiki
Create the page "Well known principal" on this wiki! See also the search results found.
Page title matches
- The '''PAC and principal APIs''' project defines some APIs that are useful in an active-directory en krb5_const_principal principal,6 KB (800 words) - 00:29, 16 February 2010
- * Allow client principal selection by GSSAPI apps based on the target service and hostname, using ei * Prompting the user to decide on the client principal and remembering the answer.13 KB (2,135 words) - 14:25, 12 October 2011
- This project will add string attributes to krb5 principal entries in the KDB, along with kadmin support for displaying and modifying ...n OTP preauth plugin needs to know what kind of token is associated with a principal and may also need type-specific information about the token.5 KB (674 words) - 12:20, 11 November 2011
Page text matches
- ...ively, a separate session key enctype preference list could exist on a per-principal basis.4 KB (560 words) - 13:27, 12 October 2010
- ...ich will eventually have positive ramifications for principal renaming and principal canonicalization.4 KB (555 words) - 00:12, 16 February 2010
- | <ul><li> A guide to GSS-API naming as compared to Kerberos principal naming</ul>|| || || || | <ul><li> An advanced guide to the principal manipulation and parsing</ul>|| TY || TBD || ||20 KB (3,209 words) - 10:28, 5 June 2013
- principal as an arg to krb5_kt_get_entry() which will return an error if there are no entries for that principal in the keytab.6 KB (1,083 words) - 00:11, 16 February 2010
- ...at the initial ticket flag is set on certain service principals. When the principal is manually created the admin needs to be able to set the flag. Is it suff Tom: Was it the changepw principal that was the problem?2 KB (429 words) - 17:38, 10 January 2011
- unsigned int - client length == strlen(client principal name) + 1 variable - client principal name (NUL terminated C-string)11 KB (1,655 words) - 00:08, 16 February 2010
- ...to the local KDC and requesting referrals. This may be limited to service principal names with specific name types or in specific forms (''e.g.,'' two componen * the server principal name is unknown5 KB (811 words) - 00:13, 16 February 2010
- ...rals for AD support but lots of traffic about bugs in referrals. May need principal re-writing (currently only have realm re-writing) to make referrals useful4 KB (649 words) - 17:39, 10 January 2011
- ...use the new error comes from inside the keytab code. Should function take principal argument? Use as search criteria? :Assumption was stash file held only 1 key -- principal used for prompting function?2 KB (256 words) - 17:40, 10 January 2011
- ...mber of "security tokens" (such as a Kerberos ticket) to SOAP messages, as well as cryptographically binding tokens to messages. This provides a means for ...k" given above. Both utilize SOAP-based messages and employ WS-Security as well as WSDL. However, they diverge as one goes further "up the stack". Yet, bot99 KB (14,634 words) - 19:15, 29 October 2008
- o in ACL model, only thing you have is the principal name, so fewer6 KB (835 words) - 17:37, 22 August 2008
- principal and stash file and then migrate the encryption of existing which key to use when decrypting a principal's long term secret key.9 KB (1,614 words) - 00:11, 16 February 2010
- ...Adding support for issuing new keys to application server for the service principal. Tom: If you have a service using a single service principal on multiple hosts. Want to create a new key and mark it as inactive. Dist3 KB (486 words) - 17:41, 10 January 2011
- ...The first is support for '''Unicode principal names and case insensitive principal search'''. The goal of this project is to get behavior more similar to Mic ...second feature is generalized support for name canonicalization and server principal aliases.7 KB (1,146 words) - 00:37, 16 February 2010
- The '''PAC and principal APIs''' project defines some APIs that are useful in an active-directory en krb5_const_principal principal,6 KB (800 words) - 00:29, 16 February 2010
- * Query to efficiently report when a principal is locked out due to password failures * Crypto modularity -- make sure PKCS#11 etc. work well5 KB (580 words) - 18:06, 3 January 2017
- ...rs with more than one hostname. Case folding and other transformations of principal names are out of scope. Management and propagation of aliases is out of sc ...s canonical. If this attribute is set and does not match the searched-for principal name, then the entry is returned only if canonicalization was requested, an2 KB (370 words) - 15:47, 13 March 2009
- ...When adding an entry, please include a brief description of the term, as well as a link to where more information can be found if the term is not defined ...ile or other storage unit containing a list of tickets for the same client principal.5 KB (753 words) - 12:41, 14 January 2010
- ...insecure like "master". The DB will be created in /usr/local/var/krb5kdc/principal and a few other similarly-named files. The master key stash will be create ...run with the memory checker, a log file at BUILDTOP/vg.[pid] and a list of known warnings to suppress. It is a make variable, not a shell/environment varia17 KB (2,849 words) - 12:17, 11 September 2019
- ...ata proposal allows client library to track whether a KDC supports service principal referrals.2 KB (190 words) - 16:48, 3 March 2010
- .../wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Principal_.22types.22 '''Principal "types":'''] client / server / krbtgs already works well with MIT application libraries.10 KB (1,571 words) - 09:40, 18 September 2009
- * the Subject contains the client principal name ...cation of public key signatures and some out-of-band mechanism for binding principal names14 KB (2,026 words) - 13:17, 5 November 2009
- ...l then issue a (signed) SAML assertion that identities the Kerberos client principal, and optionally carries the original AP_REQ request (encoded in base64). In3 KB (502 words) - 15:35, 4 December 2009
- | lib/krb5/principal.c | lib/krb5/principal.c29 KB (4,937 words) - 11:48, 31 August 2009
- ...rary principal to itself (the service is trusted to have authenticated the principal) ...ER], introduced in Windows 2003, which consists of the "user name" (client principal) and a checksum of the PA data with the TGT session key12 KB (1,884 words) - 13:40, 16 February 2010
- ...s. The default salt is specified by RFC 4120 as "the concatenation of the principal's realm and name components, in order, with no separators" but the KDC can ...key; other salt types indicate various ways of computing the salt from the principal. NORMAL indicates the default salt, but as of 1.7, the KDC explicitly comm8 KB (1,372 words) - 13:26, 22 September 2011
- * ktset creates a keytab with the derived principal, in cooperation with a back end to allow creation of these principals in ...ver to provide access to the user-derived principal as if it were the user principal.3 KB (525 words) - 23:56, 3 January 2011
- Authenticating as principal haoqili/admin@D.COM with password.15 KB (2,287 words) - 13:26, 22 December 2015
- database_name = /tmp/krb5kdc/principal database_name = %(sandir)s/principal1 KB (128 words) - 11:56, 18 August 2009
- * change the behaviour of krb5_rd_req() to always verify known authorization data elements ...ve provided helper routines for marshalling and verifying AD-KDCIssued, as well sample application- and KDC-side plugins. A few hundred lines of code in to33 KB (4,224 words) - 00:31, 16 February 2010
- LDAP as extra values in the multivalued "principal name" <li> [[Principal Names, long and short names:]]51 KB (7,287 words) - 13:17, 2 September 2009
- ...a certain number of preauthentication failures with a given time limit, a principal will be locked out from authenticating for a certain period of time. ...on (period in which lockout is enforced; a duration of zero means that the principal must be manually unlocked)11 KB (1,654 words) - 11:16, 17 November 2010
- | principal | principal4 KB (626 words) - 10:34, 29 September 2009
- ..."windc" plugin that implements methods for MS PAC generation, signing, as well as AS-REQ authorization. We could have wrapped the former inside an authdat if (proxy == extension.principal)12 KB (1,754 words) - 00:08, 16 February 2010
- KRB5SignedPathPrincipals ::= SEQUENCE OF Principal client[0] Principal OPTIONAL,6 KB (837 words) - 00:30, 16 February 2010
- ...This project allows users to obtain Kerberos tickets even if they have no principal registered in a realm. Use cases include hiding identity of a user for pri ...for the client principal. This principal will never appear in the service principal.6 KB (878 words) - 16:43, 12 December 2012
- ...res. The first is support for Unicode principal names and case insensitive principal search. The goal of this project is to get behavior more similar to Microso ...second feature is generalized support for name canonicalization and server principal aliases.5 KB (802 words) - 10:03, 21 November 2009
- [[Principal|principals]] to authenticate to a remote service without disclosing their i In completely anonymous Kerberos, a principal can authenticate to a realm with no Kerberos identity in that realm. Diffi2 KB (379 words) - 12:46, 11 January 2010
- certificate is known by all clients; any certificates signed by this ...er forms of user authentication, then each user will need a certificate as well.10 KB (1,462 words) - 21:32, 8 October 2013
- ...rsome; for instance, there is a 50+ line function in libkadm5srv to copy a principal into storage allocated by the DB module. ...re never productively used. A principal name can only have one associated principal. The db_get_policy function has a similar argument "cnt" which makes equal16 KB (2,715 words) - 13:24, 12 October 2010
- * The list of the desired plugin implementations is known to the specific PLI which is aggregated within PM (2); plugin_pwd_qlty_check(plugin_handle, srv_handle, password, use_policy, pol, principal);22 KB (3,322 words) - 14:57, 3 August 2010
- ...ying the BDB back end to sleep() for a minute when looking up a particular principal name such as "slowuser". While testing, note that libkrb5 will retry reque ...ld need a special stub KDB back end to cause worker processes to block, as well as a way to control the client retry loop.6 KB (1,080 words) - 11:54, 1 October 2010
- # If the remote realm is already known, and its key is still valid for long enough, the local KXOVER deamon return The KDC admin has to create a principal for the deamon in the database in order to allow secure communication betwe10 KB (1,584 words) - 07:08, 14 February 2018
- Simo mentions problems with SELinux, etc. where shared service principal but can't share rcache due to being in separate security domains. Some dis1 KB (155 words) - 19:26, 3 January 2011
- The current in-memory data structure for KDB principal entries is designed around the needs of the DB2 module. As a result, it is This project is to redesign the in-memory structure for KDB principal entries, either by making it totally opaque, or just by making it more logi965 bytes (150 words) - 05:57, 20 July 2010
- ...otp''' user string is unset, the '''otp''' plugin will be disabled for the principal. ..., the '''otp''' plugin will look up the '''otp''' user string on the given principal. If the string is set (i.e. non-NULL), a generic PA-OTP-CHALLENGE will be s5 KB (801 words) - 14:26, 11 October 2013
- ...e><i>principal/</i>SECURID</code> principals to enable SecurID for a given principal. If this is done, then the KDC will call into the SecurID SDK and request a4 KB (580 words) - 16:09, 18 October 2010
- * The principal name. * The name of the password policy associated with the principal, if any.6 KB (870 words) - 13:25, 12 October 2010
- * Principal creation * Principal modification6 KB (779 words) - 13:37, 12 October 2010
- ;Shawn: issues with multi-tierd using file replay caches. sharing "host" principal. locking issues? Multiple threads independently open an rcache; mutex only1 KB (204 words) - 19:19, 3 January 2011
- ...nism name. This function calls krb5_sname_to_principal() to construct the principal, passing NULL for the hostname if none was supplied. krb5_sname_to_princip # Constructs a principal servicename/canonicalized-hostname@realm.7 KB (1,168 words) - 14:19, 12 October 2011
- ...the state where you're setting up sshd and it's not looking for the right principal in the keytab. This is mainly targeted at gss acceptors. Don't try to guess ...ostnames - orig, fwd, rev... try all 3. (srv) acquire_cred could check for principal in keytab, error if not found. Record in the gss mechanism name object all5 KB (828 words) - 17:37, 3 February 2011
- ...not need to explicitly construct principal aliases for host-based service principal names. The KDC is assumed to have the ability to look up realm-specific hos ...mpting to access. In the past, when the krb5 client library constructs the principal name for a host-based service, it does a reverse lookup on the IP address o1 KB (215 words) - 13:35, 12 August 2014
- * Add support for string attributes on principal entries.2 KB (255 words) - 17:55, 27 January 2012
- ...rinfo()</code>. Tried to log into a host via ssh but kept requesting wrong principal. Tried turning off <code>rdns</code> (in libdefaults) etc. Finally ran gdb3 KB (459 words) - 15:48, 21 June 2011
- * Allow client principal selection by GSSAPI apps based on the target service and hostname, using ei * Prompting the user to decide on the client principal and remembering the answer.13 KB (2,135 words) - 14:25, 12 October 2011
- This project will add string attributes to krb5 principal entries in the KDB, along with kadmin support for displaying and modifying ...n OTP preauth plugin needs to know what kind of token is associated with a principal and may also need type-specific information about the token.5 KB (674 words) - 12:20, 11 November 2011
- ...dding TL-data. No guarantee about exposing in TL-data in the future. Makes principal less "unitary". "Design drift".823 bytes (122 words) - 12:28, 20 September 2011
- ...to a customer. Hostnames change. pam_krb5 in auth stack. Why not try every principal in the keytab? .... Other keytab (containing only http key) readable by httpd could fake any principal.2 KB (244 words) - 15:14, 24 January 2012
- :* Flexible KDC configuration for preauth requirements per principal1 KB (183 words) - 16:31, 20 February 2012
- == Principal mapping ==1 KB (163 words) - 19:38, 21 February 2012
- ;Simo: Useful to have stable principal names. Also handling multiple realms not so greta. Don't want to make clien2 KB (271 words) - 16:19, 30 April 2012
- ...anularity of error handling on init_creds. Invalid password different from principal not found. Is reasonable to treat differently in terms of fallback? Maybe c ;Will: Errors from propagation delays -- either password changes or principal creation.3 KB (457 words) - 16:14, 17 April 2012
- ...torage appliance. AD multi-master race condition joining, creating service principal. ...KDCs. Multiple KDCs, admin servers in kdc.conf. Orders opposite. kinit -- principal not found. Should it try harder?1 KB (227 words) - 17:23, 17 April 2012
- ;Greg: App might provide a desired principal name. ;Sam: Not sure about using default ccache. If application A requests a principal, can unexpectedly change the behavior of application B which uses default c2 KB (366 words) - 17:52, 6 June 2012
- ...r does supply a desired name, or when krb5_cc_select() can deduce a client principal from the target name. In this case, multiple principals from the same keyt # The system should work well with credential cache collections (see [[Projects/Client_principal_selectio11 KB (1,732 words) - 10:05, 30 July 2014
- ## In the KDC side we propose to just insert the principal WELLKNOW:FEDERATED with a random password (as the actual reply key will be6 KB (937 words) - 05:44, 7 September 2012
- |rowspan=3|Determine service principal | cross-realm referral || ✗ || service principal, TGS14 KB (2,151 words) - 13:01, 29 October 2013
- ...While we are it we're adding fields to policy for all policy-ish things in principal records. And making policy finally extensible in the same way that princip ; allowed_keysalts : key/salt type list that the principal is allowed to have keys of4 KB (614 words) - 19:14, 30 July 2012
- ...ials are successfully obtained (working name ''pa_type'', on a per-service-principal basis). ...credentials are obtained (working name ''pa_config_data'', on a per-server-principal basis), and for reading them when called to generate preauth data.7 KB (1,211 words) - 12:51, 19 October 2012
- ...esented a ticket with the wrong kvno or just a ticket for the wrong server principal. (Update: the simple case will be addressed in 1.13 by {{bug|7232}}.)4 KB (614 words) - 13:39, 2 April 2019
- Our administrative toolset mostly provides support for operating on one principal entry or policy at a time. As the number of principals in a database incre Some known and hypothesized use cases for reporting and bulk operations are:4 KB (654 words) - 18:07, 2 March 2015
- ;Simo: client@REALM1 does AS-REQ to REALM2, gets "principal unknown" instead of "wrong realm".1 KB (166 words) - 15:46, 3 December 2012
- ...cle. To configure, you needed to give it principal and password with kadm5 principal creation privileges. Won't work in FreeIPA.2 KB (358 words) - 17:04, 19 December 2012
- ...ntains the policy_refcnt field in its principal operations (so modifying a principal can also result in modifying its old or new policy reference), and refuses ...This created a terrible performance problem--especially since fetching a principal currently requires fetching its associated policy object. After {{bug|67997 KB (1,073 words) - 02:08, 15 March 2013
- The krb5_aname_to_localname() function attempts to convert a krb5 principal name into a local account name according to policy. The default behavior m ...in file exists, authorization succeeds if krb5_aname_to_localname maps the principal name to the local account name.6 KB (865 words) - 14:06, 16 August 2013
- ...n returned ticket for direct cross-realm unless ok-as-delegate flag set on principal, but only for S4U2Self.1 KB (228 words) - 17:14, 30 January 2013
- This project adds the ability to have principal entries with no long-term keys. Traditionally, it was useless for a principal entry to have no long-term keys because you wouldn't be able to authenticat6 KB (982 words) - 12:51, 17 July 2013
- * Reduce DNS-related difficulties with service principal names ** Config to disable client service principal canonicalization1 KB (125 words) - 13:02, 11 March 2014
- ;Greg: DAL can return a referral TGS principal.2 KB (381 words) - 18:19, 1 March 2013
- ...eys use the "user" key type, and contain serialized representations of the principal name or credential as appropriate.7 KB (1,099 words) - 09:38, 4 October 2013
- ;Greg: Write a project page. LDAP back end can check but ignores client principal. [ this would be a new capability ] ...rm would be "@REALMNAME". Heimdal apparently gives you a single-component principal whose content is "@" in that case.1 KB (197 words) - 16:44, 13 June 2013
- ...lback_realm() function attempts to map a hostname to one or more realms as well, using more heuristic or insecure approaches than krb5_get_host_realm(). W ...m()). It is used chiefly by krb5_parse_name() when the string form of the principal contains no realm, but is also used in many other ways.7 KB (1,010 words) - 14:05, 16 August 2013
- ...als, but does not have provisions for which user principals that the proxy principal can request service tickets on behalf of. DESC 'Principal names member of a groupOfPrincipals group'9 KB (1,275 words) - 17:38, 10 September 2014
- ...RADIUS server must have access to passwords or verification hashes for the principal. ...ecified and implemented. The new armor type uses a PAKE exchange with the principal's long-term key. Within the resulting FAST channel, the client performs OT10 KB (1,684 words) - 12:22, 5 September 2014
- ...ject will implement a means of restricting access without requiring that a principal always authenticates using high-strength pre-authentication, by marking how ...pal if it was not already loaded, and the AD-SIGNTICKET code will use that principal entry for its checksums.14 KB (2,182 words) - 22:13, 24 August 2015
- ;Greg: Aliases? e.g. client uses a ticket with a service principal alias, but the keytab also has the wrong kvno. (Which should take priority996 bytes (164 words) - 15:14, 30 April 2014
- DOD sites primarily use DOD CAC with PKINIT. MIT implementation expects principal name in cert; need patches for MIT KDC to handle this. Non-CAC includes Se ...d service principals. There is interest in splitting the flag somehow, as well as the related requires_hwauth. There are sites using existing dual meanin4 KB (604 words) - 18:27, 20 May 2014
- ...bly best to somehow encode something similar to what is currently used for principal key data storage and put in a new attribute. ...et realm TGT when getting service tickets instead of cueing off the client principal's realm. Viktor will call in next week to describe more details.1 KB (202 words) - 16:40, 10 June 2014
- ...represent more structured data that would otherwise need multiple rows per principal. Clustered services that have multiple hosts needing to share a single service principal/key. Different sites have different requirements for how this needs to wor2 KB (345 words) - 10:49, 30 June 2014
- Will asks about the special kiprop principal. Apparently Solaris creates it automatically at KDB creation time, and MIT657 bytes (97 words) - 15:11, 24 June 2014
- # Specify mapping from cert to principal. Was matching string inside TL-data, now using string attributes. Ken's KDC principal matching rules are a generalization of existing matching rules in the PKINI2 KB (306 words) - 16:14, 19 August 2014
- ...current replay cache implementation has severe performance limitations as well as flaws which can cause both false positives and false negatives. Many se ...r name field. Records are generally small, but are not fixed-size because principal names vary in length.11 KB (1,865 words) - 02:31, 21 February 2019
- ...l APIs. In release 1.10, the [[Projects/Client_principal_selection|client principal selection]] project implemented the collection-enabled DIR credential cache ...switchable type, kinit will scan the collection for a cache with the same principal as it is acquiring credentials for, and will refresh that cache if one is f7 KB (1,215 words) - 11:45, 24 March 2015
- # Construct the first PAKEProfile-specific PAKEMessage using the principal's secret key. ...roadly implemented (including OpenSSL, NSS and BouncyCastle). There are no known patents covering it. The only major downside of using it is that it require10 KB (1,401 words) - 16:19, 17 March 2015
- ...y hexadecimal format, as an artifact of being stored in the tl_data of the principal. ===Principal metadata===6 KB (856 words) - 16:11, 14 September 2015
- ...ning for negative kvno values in krb5_dbe_def_search_enctype(), the server principal will not work (TGS requests will receive "KDC has no support for encryption9 KB (1,477 words) - 22:12, 24 August 2015
- ...That is, the desired service principal's realm is replaced with the client principal's and a TGS-REQ is sent to that realm's TGS. - when the client principal's realm is a WELLKNOWN realm (e.g., the anonymous realm)4 KB (728 words) - 12:15, 23 July 2019
- * Implement principal renaming in LDAP back end814 bytes (102 words) - 17:15, 7 October 2016
- ...ther to offer specific factors (including SF-NONE) for a particular client principal.5 KB (846 words) - 01:36, 28 October 2015
- ...the PRF+ function with the string "COOKIE" followed by the unparsed client principal name as input. The encryption uses key usage 513, which is in the key usag7 KB (1,065 words) - 14:25, 23 September 2015
- ===Principal key history=== * Principal name2 KB (272 words) - 16:08, 14 September 2015
- ...y set to /opt/csw. This would ordinarily allow ssh access by the Kerberos principal games@ATHENA.MIT.EDU. We change the home directory of this account to / so ...als may be added to .k5login, but make sure it exists so that the Kerberos principal "buildbot" does not have access to the account.7 KB (1,263 words) - 11:54, 12 July 2018
- ...ontain a SAN (Subject Alternative Name) field containing either a Kerberos principal or a Microsoft UPN. In some deployments, certificates are issued from a th ...nge) to determine whether a certificate is authorized to authenticate to a principal. A certauth module can be implemented in the same shared object as a KDB m3 KB (495 words) - 11:30, 5 December 2018
- Conversions to an unsigned integer type are well-specified (C99 section 6.3.1.3), as are arithmetic operations on unsigned t * lockout.c (LDAP and DB2) compares timestamps to determine if a principal entry is locked or was administratively unlocked.18 KB (2,968 words) - 15:53, 7 May 2017
- ...principal operations, which may result in changes to the added or modified principal. ...urrently not possible with kadm5.acl as we only allow wildcarding of whole principal components.9 KB (1,469 words) - 18:03, 29 July 2017
- ...script from krbdev-services into it. Also create a keytab for the krbsnap principal in ~/snap/krbsnap.keytab. Add the cron job to run gensnap from krbdev/krbs8 KB (1,183 words) - 21:33, 17 April 2020
- ...be associated with the principal entry in the KDB to bind the token to the principal. Signing produces a one-time access credential in response to a challenge. * Registration is performed in band. The KDC administrator flags the principal entry as requiring token registration, causing the KDC to issue a special c6 KB (966 words) - 16:34, 6 November 2018
- ...e, krb5_sname_to_principal() would have to leave the short hostname in the principal name, and krb5_get_credentials() would have to add suffixes when performing ...5.conf variable, allowing greater administrator control over the canonical principal names the library will try. Here is an example from Heimdal's krb5.conf(5)7 KB (1,179 words) - 17:37, 7 December 2019
- ...({{rfcref|6803}} section 3), the KDC may issue a ticket to an outgoing TGS principal; this is called a "referral". ...he "subject") to the requesting service. The subject may be identified by principal or by X.509 certificate. S4U2Self requests do not require special privileg13 KB (2,178 words) - 03:19, 9 December 2021
