perlgssapi-users Mailing List for Perl GSSAPI bindings
Brought to you by:
achimgrolms
Menu
▾
▴
perlgssapi-users — How to use the Bindings, help, feature requests
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
(12) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
(26) |
Oct
(13) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(9) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
(4) |
| 2013 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
|
From: Stijn De W. <sti...@ug...> - 2016-10-13 11:46:47
|
hi achim,
thanks for clarifying.
yes, this works, eg on an el7 box (the script has only perl-GSSAPI, no
kinit)
> [root@fqdn tmp]# rm -Rf /tmp/x1/
> [root@fqdn tmp]# KRB5CCNAME=DIR:/tmp/x1 klist -A
> [root@fqdn tmp]# ./getcred_hostbased_n2205.pl
> verify with KRB5CCNAME=DIR:/tmp/x1 klist -A
> ENV{KRB5CCNAME} DIR:/tmp/x1
>
> using Name host/fqd...@HP...
> Security context's time to live 86400 secs
> seems everything is fine, type klist to see the ticket
> [root@fqdn tmp]# KRB5CCNAME=DIR:/tmp/x1 klist -A
> Ticket cache: DIR::/tmp/x1/tktvrgaxm
> Default principal: host/fqd...@HP...
>
> Valid starting Expires Service principal
> 10/13/2016 13:44:00 10/14/2016 13:44:00 krbtgt/REALM@REALM
> 10/13/2016 13:44:00 10/14/2016 13:44:00 host/fqdn@REALM
stijn
On 10/13/2016 11:58 AM, Achim Grolms wrote:
> On Thursday 13 October 2016, Stijn De Weirdt wrote:
>> as a followup question, if getting the initial TGT is not part of
>> (older?) perl-GSSAPI,
>
> The Protocol and API GSSAPI is a layer on top of Kerberos and _other_
> authentication "mechtypes".
>
> So there is no "get a TGT" call in the GSSAPI specification, because the
> concept "TGT" is "one layer below" and not in ther perl-wrapper around the C-
> interface as defined in RFC 2744:
>
>
> --------------------------------
> Perl Interface GSSAPI.pm
> --------------------------------
> GSSAPI-Implementation of RFC 2744,
> for Example Heimdal or MIT
> --------------------------------
> Kerberos5 implementation
> for Example Heimdal or MIT
> --------------------------------
>
>
>
>> does anyone have any idea why this works on el7?
>
> I have no idea why this works.
> To be sure: you have run kdestroy first to ensure there is no valid TGT from
> older requests?
>
>> is it a change in the krb5 libs (and if so, does anyone have any idea
>> which versions have this?)
>
> I have no idea.
>
>
>
>>
>> many thanks,
>>
>> stijn
>>
>> On 10/11/2016 08:16 AM, Stijn De Weirdt wrote:
>>> hi achim,
>>>
>>>> just to be sure: The output from both commands with the same
>>>> kerberos-config? Only the versions of Kerberos-libraries differ?
>>>
>>> the only difference on el7 is the
>>> "default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
>>> (but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
>>> works)
>>>
>>>> In both cases you have run sucessfully the kinit before and have a valid
>>>> TGT?
>>>
>>> kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
>>> without a valid TGT present (ie an empty cache). so the output is
>>> produced without a valid TGT present.
>>>
>>>
>>> stijn
>>>
>>>> Best Regards,
>>>> Achim
>>>>
>>>> On Monday 10 October 2016, Stijn De Weirdt wrote:
>>>>> hi all,
>>>>>
>>>>> following the example code in
>>>>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
>>>>> i manage to create and list the credentials on a system were no cache
>>>>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
>>>>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
>>>>>
>>>>> running with KRB5_TRACE=/dev/stdout, i get
>>>>>
>>>>>> using Name host/fqdn@REALM
>>>>>> Security context's time to live 74391 secs
>>>>>> seems everything is fine, type klist to see the ticket
>>>>>>
>>>>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
>>>>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
>>>>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
>>>>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408]
>>>>>> 1476125005.968609: Creating authenticator for host/fqdn@REALM ->
>>>>>> host/fqdn@REALM, seqnum 252462246, subkey aes256-cts/CBEE, session
>>>>>> key aes256-cts/BB8B
>>>>>
>>>>> and afterwards klist shows expected
>>>>>
>>>>> (fqdn and REALM are replaced)
>>>>>
>>>>>
>>>>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
>>>>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
>>>>> i get
>>>>>
>>>>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
>>>>>> server principal host/fqdn@REALM
>>>>>>
>>>>>> using Name host/fqdn@REALM
>>>>>>
>>>>>> Errors: Unspecified GSS failure. Minor code may provide more
>>>>>> information Credentials cache file '/tmp/krb5cc_0' not found
>>>>>> major 851968 minor 2529639107
>>>>>
>>>>> my question is: what GSSAPI and/or krb5 version is required to be able
>>>>> to create a credential cache where non-existed before?
>>>>>
>>>>> or can someone shed some light on the error above?
>>>>>
>>>>> many thanks,
>>>>>
>>>>> stijn
>>>>>
>>>>> -----------------------------------------------------------------------
>>>>> ---- --- Check out the vibrant tech community on one of the world's
>>>>> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Perlgssapi-users mailing list
>>>>> Per...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>>>
>>> -------------------------------------------------------------------------
>>> ----- Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Perlgssapi-users mailing list
>>> Per...@li...
>>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>>
>> ---------------------------------------------------------------------------
>> --- Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Perlgssapi-users mailing list
>> Per...@li...
>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
>
|
|
From: Achim G. <ac...@gr...> - 2016-10-13 10:11:02
|
On Thursday 13 October 2016, Stijn De Weirdt wrote:
> as a followup question, if getting the initial TGT is not part of
> (older?) perl-GSSAPI,
The Protocol and API GSSAPI is a layer on top of Kerberos and _other_
authentication "mechtypes".
So there is no "get a TGT" call in the GSSAPI specification, because the
concept "TGT" is "one layer below" and not in ther perl-wrapper around the C-
interface as defined in RFC 2744:
--------------------------------
Perl Interface GSSAPI.pm
--------------------------------
GSSAPI-Implementation of RFC 2744,
for Example Heimdal or MIT
--------------------------------
Kerberos5 implementation
for Example Heimdal or MIT
--------------------------------
> does anyone have any idea why this works on el7?
I have no idea why this works.
To be sure: you have run kdestroy first to ensure there is no valid TGT from
older requests?
> is it a change in the krb5 libs (and if so, does anyone have any idea
> which versions have this?)
I have no idea.
>
> many thanks,
>
> stijn
>
> On 10/11/2016 08:16 AM, Stijn De Weirdt wrote:
> > hi achim,
> >
> >> just to be sure: The output from both commands with the same
> >> kerberos-config? Only the versions of Kerberos-libraries differ?
> >
> > the only difference on el7 is the
> > "default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
> > (but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
> > works)
> >
> >> In both cases you have run sucessfully the kinit before and have a valid
> >> TGT?
> >
> > kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
> > without a valid TGT present (ie an empty cache). so the output is
> > produced without a valid TGT present.
> >
> >
> > stijn
> >
> >> Best Regards,
> >> Achim
> >>
> >> On Monday 10 October 2016, Stijn De Weirdt wrote:
> >>> hi all,
> >>>
> >>> following the example code in
> >>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
> >>> i manage to create and list the credentials on a system were no cache
> >>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
> >>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
> >>>
> >>> running with KRB5_TRACE=/dev/stdout, i get
> >>>
> >>>> using Name host/fqdn@REALM
> >>>> Security context's time to live 74391 secs
> >>>> seems everything is fine, type klist to see the ticket
> >>>>
> >>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
> >>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
> >>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
> >>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408]
> >>>> 1476125005.968609: Creating authenticator for host/fqdn@REALM ->
> >>>> host/fqdn@REALM, seqnum 252462246, subkey aes256-cts/CBEE, session
> >>>> key aes256-cts/BB8B
> >>>
> >>> and afterwards klist shows expected
> >>>
> >>> (fqdn and REALM are replaced)
> >>>
> >>>
> >>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
> >>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
> >>> i get
> >>>
> >>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
> >>>> server principal host/fqdn@REALM
> >>>>
> >>>> using Name host/fqdn@REALM
> >>>>
> >>>> Errors: Unspecified GSS failure. Minor code may provide more
> >>>> information Credentials cache file '/tmp/krb5cc_0' not found
> >>>> major 851968 minor 2529639107
> >>>
> >>> my question is: what GSSAPI and/or krb5 version is required to be able
> >>> to create a credential cache where non-existed before?
> >>>
> >>> or can someone shed some light on the error above?
> >>>
> >>> many thanks,
> >>>
> >>> stijn
> >>>
> >>> -----------------------------------------------------------------------
> >>> ---- --- Check out the vibrant tech community on one of the world's
> >>> most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >>> _______________________________________________
> >>> Perlgssapi-users mailing list
> >>> Per...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
> >
> > -------------------------------------------------------------------------
> > ----- Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Perlgssapi-users mailing list
> > Per...@li...
> > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
> ---------------------------------------------------------------------------
> --- Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Perlgssapi-users mailing list
> Per...@li...
> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
|
|
From: Stijn De W. <sti...@ug...> - 2016-10-13 07:13:45
|
as a followup question, if getting the initial TGT is not part of
(older?) perl-GSSAPI, does anyone have any idea why this works on el7?
is it a change in the krb5 libs (and if so, does anyone have any idea
which versions have this?)
many thanks,
stijn
On 10/11/2016 08:16 AM, Stijn De Weirdt wrote:
> hi achim,
>
>> just to be sure: The output from both commands with the same kerberos-config?
>> Only the versions of Kerberos-libraries differ?
> the only difference on el7 is the
> "default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
> (but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
> works)
>
>>
>> In both cases you have run sucessfully the kinit before and have a valid TGT?
> kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
> without a valid TGT present (ie an empty cache). so the output is
> produced without a valid TGT present.
>
>
> stijn
>
>>
>> Best Regards,
>> Achim
>>
>>
>>
>> On Monday 10 October 2016, Stijn De Weirdt wrote:
>>> hi all,
>>>
>>> following the example code in
>>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
>>> i manage to create and list the credentials on a system were no cache
>>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
>>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
>>>
>>> running with KRB5_TRACE=/dev/stdout, i get
>>>
>>>> using Name host/fqdn@REALM
>>>> Security context's time to live 74391 secs
>>>> seems everything is fine, type klist to see the ticket
>>>>
>>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
>>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
>>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
>>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408] 1476125005.968609:
>>>> Creating authenticator for host/fqdn@REALM -> host/fqdn@REALM, seqnum
>>>> 252462246, subkey aes256-cts/CBEE, session key aes256-cts/BB8B
>>>
>>> and afterwards klist shows expected
>>>
>>> (fqdn and REALM are replaced)
>>>
>>>
>>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
>>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
>>> i get
>>>
>>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
>>>> server principal host/fqdn@REALM
>>>>
>>>> using Name host/fqdn@REALM
>>>>
>>>> Errors: Unspecified GSS failure. Minor code may provide more information
>>>> Credentials cache file '/tmp/krb5cc_0' not found
>>>> major 851968 minor 2529639107
>>>
>>> my question is: what GSSAPI and/or krb5 version is required to be able
>>> to create a credential cache where non-existed before?
>>>
>>> or can someone shed some light on the error above?
>>>
>>> many thanks,
>>>
>>> stijn
>>>
>>> ---------------------------------------------------------------------------
>>> --- Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Perlgssapi-users mailing list
>>> Per...@li...
>>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Perlgssapi-users mailing list
> Per...@li...
> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
|
|
From: Stijn De W. <sti...@ug...> - 2016-10-11 06:16:42
|
hi achim,
> just to be sure: The output from both commands with the same kerberos-config?
> Only the versions of Kerberos-libraries differ?
the only difference on el7 is the
"default_ccache_name = KEYRING:persistent:%{uid}" entry in libdefaults.
(but on el7, when i set KRB5CCNAME to DIR:/something of FILE:, it also
works)
>
> In both cases you have run sucessfully the kinit before and have a valid TGT?
kinit -kt /etc/krb5.keytab works, but i'm trying to get the context
without a valid TGT present (ie an empty cache). so the output is
produced without a valid TGT present.
stijn
>
> Best Regards,
> Achim
>
>
>
> On Monday 10 October 2016, Stijn De Weirdt wrote:
>> hi all,
>>
>> following the example code in
>> http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm
>> i manage to create and list the credentials on a system were no cache
>> existed before on centos7 (perl-5.16.3-286.el7.x86_64
>> krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64)
>>
>> running with KRB5_TRACE=/dev/stdout, i get
>>
>>> using Name host/fqdn@REALM
>>> Security context's time to live 74391 secs
>>> seems everything is fine, type klist to see the ticket
>>>
>>> [5408] 1476125005.968256: Getting credentials host/fqdn@REALM ->
>>> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ [5408]
>>> 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from
>>> DIR::/tmp/x1/tktgfp8aQ with result: 0/Success [5408] 1476125005.968609:
>>> Creating authenticator for host/fqdn@REALM -> host/fqdn@REALM, seqnum
>>> 252462246, subkey aes256-cts/CBEE, session key aes256-cts/BB8B
>>
>> and afterwards klist shows expected
>>
>> (fqdn and REALM are replaced)
>>
>>
>> however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64
>> krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64),
>> i get
>>
>>> [8576] 1476125499.295546: ccselect can't find appropriate cache for
>>> server principal host/fqdn@REALM
>>>
>>> using Name host/fqdn@REALM
>>>
>>> Errors: Unspecified GSS failure. Minor code may provide more information
>>> Credentials cache file '/tmp/krb5cc_0' not found
>>> major 851968 minor 2529639107
>>
>> my question is: what GSSAPI and/or krb5 version is required to be able
>> to create a credential cache where non-existed before?
>>
>> or can someone shed some light on the error above?
>>
>> many thanks,
>>
>> stijn
>>
>> ---------------------------------------------------------------------------
>> --- Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Perlgssapi-users mailing list
>> Per...@li...
>> https://lists.sourceforge.net/lists/listinfo/perlgssapi-users
>
|
|
From: Stijn De W. <sti...@ug...> - 2016-10-10 18:55:26
|
hi all, following the example code in http://search.cpan.org/~agrolms/GSSAPI-0.23/GSSAPI.pm i manage to create and list the credentials on a system were no cache existed before on centos7 (perl-5.16.3-286.el7.x86_64 krb5-libs-1.13.2-12.el7_2.x86_64 perl-GSSAPI-0.28-9.el7.x86_64) running with KRB5_TRACE=/dev/stdout, i get > using Name host/fqdn@REALM > Security context's time to live 74391 secs > seems everything is fine, type klist to see the ticket > [5408] 1476125005.968256: Getting credentials host/fqdn@REALM -> host/fqdn@REALM using ccache DIR::/tmp/x1/tktgfp8aQ > [5408] 1476125005.968489: Retrieving host/fqdn@REALM -> host/fqdn@REALM from DIR::/tmp/x1/tktgfp8aQ with result: 0/Success > [5408] 1476125005.968609: Creating authenticator for host/fqdn@REALM -> host/fqdn@REALM, seqnum 252462246, subkey aes256-cts/CBEE, session key aes256-cts/BB8B and afterwards klist shows expected (fqdn and REALM are replaced) however on EL6 system (perl-5.10.1-141.el6_7.1.x86_64 krb5-libs-1.10.3-57.el6.x86_64 perl-GSSAPI-0.26-6.el6.x86_64), i get > [8576] 1476125499.295546: ccselect can't find appropriate cache for server principal host/fqdn@REALM > using Name host/fqdn@REALM > Errors: Unspecified GSS failure. Minor code may provide more information > Credentials cache file '/tmp/krb5cc_0' not found > major 851968 minor 2529639107 my question is: what GSSAPI and/or krb5 version is required to be able to create a credential cache where non-existed before? or can someone shed some light on the error above? many thanks, stijn |
|
From: Achim G. <ac...@gr...> - 2016-03-11 22:35:05
|
Hi Phalgun, currently I have no idea what is going wrong. 1. If I read the stacktrace correctly "get_value_vt" causes the "(invalid address alignment)". "get_value_vt" is deep inside the Kerberos-Library, I have no idea *how* GSSAPI.pm can cause this error. At first I will give a try to reproduce your bug-report, can you provide me the full version of your kerberos-implementaion, for exampke by running kinit --version ? I dont't have any Solaris/SunOS available for testing. Is there any chance I send some C-Code to you to get some testresults? Best Regards, Achim On Friday 11 March 2016, Phalgun Vaddepalli wrote: > Hi Team, > > I've have using kerberos on Solaris for quite some time and recently have > upgraded to Kerberos 1.14. As a result the GSSAPI had to be recompiled with > the newer version of Kerberos. While running the test inquire_cred.t causes > a core dump. > > I have raised a question on stackoverflow with all the details since I was > unaware of this mailing list:- > http://stackoverflow.com/questions/35935192/perl-module-gssapi-core-dumps-w > ith-kerberos-1-14?noredirect=1#comment59541504_35935192 > > Could someone help me out with it? > Thanks , > Phalgun Vaddepalli |
|
From: Phalgun V. <pha...@gm...> - 2016-03-11 17:53:01
|
Hi Team, I've have using kerberos on Solaris for quite some time and recently have upgraded to Kerberos 1.14. As a result the GSSAPI had to be recompiled with the newer version of Kerberos. While running the test inquire_cred.t causes a core dump. I have raised a question on stackoverflow with all the details since I was unaware of this mailing list:- http://stackoverflow.com/questions/35935192/perl-module-gssapi-core-dumps-with-kerberos-1-14?noredirect=1#comment59541504_35935192 Could someone help me out with it? Thanks , Phalgun Vaddepalli |
|
From: Natxo A. <nat...@gm...> - 2013-01-31 21:21:08
|
hi, is it possible to use this module to get a kerberos ticket to a squid or isa server that requires authentication and accepts kerberos tickets? I have gotten curl to work with the negotiate option, but I'd very much rather use libwww and Perl. TIA, -- Groeten, natxo |
|
From: Achim G. <ac...@gr...> - 2012-12-04 13:25:33
|
Hi Sam, that means there is no interactive user? In that case (for example in cronjob) you run kinit with keytab-option and use the key from keytabfile instead of a password. example: achim@beren [~]$ kinit -k -t /usr/local/apache/conf/http_beren.krb5keytab HTTP/beren.grolmsnet.de to get a TGT for principal 'HTTP/beren.grolmsnet.de'. Best Regards, Achim On Tuesday 04 December 2012, sam...@ba... wrote: > Thanks again, Achim. > > If a password needs to be entered interactively at log-on, how can GSSAPI > be used on servers? We run our applications either as services, or via > scheduled tasks (Windows)/cron (Linux), under a non-interactive system > account. There is no interaction either at start-up or at logon. > > Thanks, > Sam > > -----Original Message----- > From: Achim Grolms [mailto:ac...@gr...] > Sent: Tuesday, December 04, 2012 1:57 PM > To: Ferencik, Samuel: Markets (PRG) > Cc: per...@li... > Subject: Re: [Perlgssapi-users] SSO on Windows > > Hi Sam, > > kinit is run only once, at user-logon-time to get the "Ticket Granting > Ticket" (TGT). > > This TGT is used to get the "Service Tickets" for eccessing the services > (for example ldap, cifs, pop3 etc.) > > in other Words: "Getting the TGT" is a step that takes place > on both systems at logon-time: > > a) Windows-SSPI: When User logins into his machine by Domain-Account (use > kerbtray.exe to make the tickets visible) > > b) MIT/Heimdal: when running kinit. > > There is a special case of b) when Kerberos is used to login > into the machine, for example by pam-krb5. > In this case the TGT can be pulled by the login-procedure with > no need to run kinit. > > Another special case is when accessing a remote-machine with > TGT-forwarding: In that case a TGT is transported to the remote-machine > with no need to run kinit again on the remote machine. > > I am pretty unsure if MIT/Heimdal can make direct use of the SSPI-TGTs > or wrap the SSPI calls into a GSSAPI-Interface, I am unfamilar with the > current development-tree. > > Best Regards, > Achim > > On Tuesday 04 December 2012, sam...@ba... wrote: > > Hi, > > > > Do I understand correctly that GSSAPI with MIT Kerberos can only work > > after some initial run of kinit involving entering the password? (This > > time I mean the question for both Windows and Unix.) If so, how is this > > usually architectured? When is kinit executed? At system startup? At user > > logon? With each process? > > > > Thanks, > > Sam > > > > -----Original Message----- > > From: Ferencik, Samuel: Markets (PRG) > > Sent: Thursday, November 29, 2012 9:23 PM > > To: 'ac...@gr...'; per...@li... > > Subject: RE: [Perlgssapi-users] SSO on Windows > > > > Hi Achim, > > > > Thanks for the quick response. > > > > Does this mean that it's not possible via GSSAPI & KfW? > > > > Yes, please forward the patches, I will give them a try. Direct > > integration with SSPI would be wonderful! > > > > Thanks, > > Sam > > > > -----Original Message----- > > From: Achim Grolms [mailto:ac...@gr...] > > Sent: Thursday, November 29, 2012 9:19 PM > > To: per...@li...; Ferencik, Samuel: Markets > > (PRG) Subject: Re: [Perlgssapi-users] SSO on Windows > > > > Hi Sam, > > > > As far as I know it is possible. > > I've patches in my inbox that modify LWP::Authen::Negotiate to make > > direct use of the SSPI-API, but I still have integrated the patches. > > > > Please let me know If you want me to forward the patches to you, > > you can give it a try on your own. > > > > Sorry. > > > > Best Regards, > > Achim > > > > On Thursday 29 November 2012, sam...@ba... wrote: > > > Hi, > > > > > > Is it possible for LWP::Authen::Negotiate / GSSAPI to use the Windows > > > credentials cache transparently? > > > > > > We have a Perl application making HTTP requests to an intranet web > > > server (IIS). We need the app to authenticate with the server, but we > > > don't want to > > > > > > - (store and) send the password > > > > > > - run kinit interactively. > > > > > > The reason is that the application runs non-interactively (as a Windows > > > service), so any need to enter a password even once would defeat the > > > purpose. > > > > > > I've installed MIT KfW, and got the GSSAPI unit tests pass, but I think > > > there's more to it than that (setting up krb5.ini, perhaps running > > > kinit.exe) and I'm not even sure this all will achieve what I need... > > > > > > Please advise. > > > > > > Thanks, > > > Sam > > > > _______________________________________________ > > > > This e-mail may contain information that is confidential, privileged or > > otherwise protected from disclosure. If you are not an intended recipient > > of this e-mail, do not duplicate or redistribute it by any means. Please > > delete it and any attachments and notify the sender that you have > > received it in error. Unless specifically indicated, this e-mail is not > > an offer to buy or sell or a solicitation to buy or sell any securities, > > investment products or other financial product or service, an official > > confirmation of any transaction, or an official statement of Barclays. > > Any views or opinions presented are solely those of the author and do not > > necessarily represent those of Barclays. This e-mail is subject to terms > > available at the following link: www.barclays.com/emaildisclaimer. By > > messaging with Barclays you consent to the foregoing. Barclays offers > > premier investment banking products and services to its clients through > > Barclays Bank PLC, a company registered in England (number 1026167) with > > its registered office at 1 Churchill Place, London, E14 5HP. This email > > may relate to or be sent from other members of the Barclays Group. > > > > _______________________________________________ > > > > ------------------------------------------------------------------------- > >-- --- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > > Remotely access PCs and mobile devices and provide instant support > > Improve your efficiency, and focus on delivering more value-add services > > Discover what IT Professionals Know. Rescue delivers > > http://p.sf.net/sfu/logmein_12329d2d > > _______________________________________________ > > Perlgssapi-users mailing list > > Per...@li... > > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users > > --------------------------------------------------------------------------- >--- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support Improve > your efficiency, and focus on delivering more value-add services Discover > what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Perlgssapi-users mailing list > Per...@li... > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users |
|
From: <sam...@ba...> - 2012-12-04 13:09:34
|
Thanks again, Achim. If a password needs to be entered interactively at log-on, how can GSSAPI be used on servers? We run our applications either as services, or via scheduled tasks (Windows)/cron (Linux), under a non-interactive system account. There is no interaction either at start-up or at logon. Thanks, Sam -----Original Message----- From: Achim Grolms [mailto:ac...@gr...] Sent: Tuesday, December 04, 2012 1:57 PM To: Ferencik, Samuel: Markets (PRG) Cc: per...@li... Subject: Re: [Perlgssapi-users] SSO on Windows Hi Sam, kinit is run only once, at user-logon-time to get the "Ticket Granting Ticket" (TGT). This TGT is used to get the "Service Tickets" for eccessing the services (for example ldap, cifs, pop3 etc.) in other Words: "Getting the TGT" is a step that takes place on both systems at logon-time: a) Windows-SSPI: When User logins into his machine by Domain-Account (use kerbtray.exe to make the tickets visible) b) MIT/Heimdal: when running kinit. There is a special case of b) when Kerberos is used to login into the machine, for example by pam-krb5. In this case the TGT can be pulled by the login-procedure with no need to run kinit. Another special case is when accessing a remote-machine with TGT-forwarding: In that case a TGT is transported to the remote-machine with no need to run kinit again on the remote machine. I am pretty unsure if MIT/Heimdal can make direct use of the SSPI-TGTs or wrap the SSPI calls into a GSSAPI-Interface, I am unfamilar with the current development-tree. Best Regards, Achim On Tuesday 04 December 2012, sam...@ba... wrote: > Hi, > > Do I understand correctly that GSSAPI with MIT Kerberos can only work after > some initial run of kinit involving entering the password? (This time I > mean the question for both Windows and Unix.) If so, how is this usually > architectured? When is kinit executed? At system startup? At user logon? > With each process? > > Thanks, > Sam > > -----Original Message----- > From: Ferencik, Samuel: Markets (PRG) > Sent: Thursday, November 29, 2012 9:23 PM > To: 'ac...@gr...'; per...@li... > Subject: RE: [Perlgssapi-users] SSO on Windows > > Hi Achim, > > Thanks for the quick response. > > Does this mean that it's not possible via GSSAPI & KfW? > > Yes, please forward the patches, I will give them a try. Direct integration > with SSPI would be wonderful! > > Thanks, > Sam > > -----Original Message----- > From: Achim Grolms [mailto:ac...@gr...] > Sent: Thursday, November 29, 2012 9:19 PM > To: per...@li...; Ferencik, Samuel: Markets (PRG) > Subject: Re: [Perlgssapi-users] SSO on Windows > > Hi Sam, > > As far as I know it is possible. > I've patches in my inbox that modify LWP::Authen::Negotiate to make > direct use of the SSPI-API, but I still have integrated the patches. > > Please let me know If you want me to forward the patches to you, > you can give it a try on your own. > > Sorry. > > Best Regards, > Achim > > On Thursday 29 November 2012, sam...@ba... wrote: > > Hi, > > > > Is it possible for LWP::Authen::Negotiate / GSSAPI to use the Windows > > credentials cache transparently? > > > > We have a Perl application making HTTP requests to an intranet web server > > (IIS). We need the app to authenticate with the server, but we don't want > > to > > > > - (store and) send the password > > > > - run kinit interactively. > > > > The reason is that the application runs non-interactively (as a Windows > > service), so any need to enter a password even once would defeat the > > purpose. > > > > I've installed MIT KfW, and got the GSSAPI unit tests pass, but I think > > there's more to it than that (setting up krb5.ini, perhaps running > > kinit.exe) and I'm not even sure this all will achieve what I need... > > > > Please advise. > > > > Thanks, > > Sam > > _______________________________________________ > > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. If you are not an intended recipient > of this e-mail, do not duplicate or redistribute it by any means. Please > delete it and any attachments and notify the sender that you have received > it in error. Unless specifically indicated, this e-mail is not an offer to > buy or sell or a solicitation to buy or sell any securities, investment > products or other financial product or service, an official confirmation of > any transaction, or an official statement of Barclays. Any views or > opinions presented are solely those of the author and do not necessarily > represent those of Barclays. This e-mail is subject to terms available at > the following link: www.barclays.com/emaildisclaimer. By messaging with > Barclays you consent to the foregoing. Barclays offers premier investment > banking products and services to its clients through Barclays Bank PLC, a > company registered in England (number 1026167) with its registered office > at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent > from other members of the Barclays Group. > > _______________________________________________ > > --------------------------------------------------------------------------- >--- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support Improve > your efficiency, and focus on delivering more value-add services Discover > what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Perlgssapi-users mailing list > Per...@li... > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users |
|
From: Achim G. <ac...@gr...> - 2012-12-04 12:56:55
|
Hi Sam, kinit is run only once, at user-logon-time to get the "Ticket Granting Ticket" (TGT). This TGT is used to get the "Service Tickets" for eccessing the services (for example ldap, cifs, pop3 etc.) in other Words: "Getting the TGT" is a step that takes place on both systems at logon-time: a) Windows-SSPI: When User logins into his machine by Domain-Account (use kerbtray.exe to make the tickets visible) b) MIT/Heimdal: when running kinit. There is a special case of b) when Kerberos is used to login into the machine, for example by pam-krb5. In this case the TGT can be pulled by the login-procedure with no need to run kinit. Another special case is when accessing a remote-machine with TGT-forwarding: In that case a TGT is transported to the remote-machine with no need to run kinit again on the remote machine. I am pretty unsure if MIT/Heimdal can make direct use of the SSPI-TGTs or wrap the SSPI calls into a GSSAPI-Interface, I am unfamilar with the current development-tree. Best Regards, Achim On Tuesday 04 December 2012, sam...@ba... wrote: > Hi, > > Do I understand correctly that GSSAPI with MIT Kerberos can only work after > some initial run of kinit involving entering the password? (This time I > mean the question for both Windows and Unix.) If so, how is this usually > architectured? When is kinit executed? At system startup? At user logon? > With each process? > > Thanks, > Sam > > -----Original Message----- > From: Ferencik, Samuel: Markets (PRG) > Sent: Thursday, November 29, 2012 9:23 PM > To: 'ac...@gr...'; per...@li... > Subject: RE: [Perlgssapi-users] SSO on Windows > > Hi Achim, > > Thanks for the quick response. > > Does this mean that it's not possible via GSSAPI & KfW? > > Yes, please forward the patches, I will give them a try. Direct integration > with SSPI would be wonderful! > > Thanks, > Sam > > -----Original Message----- > From: Achim Grolms [mailto:ac...@gr...] > Sent: Thursday, November 29, 2012 9:19 PM > To: per...@li...; Ferencik, Samuel: Markets (PRG) > Subject: Re: [Perlgssapi-users] SSO on Windows > > Hi Sam, > > As far as I know it is possible. > I've patches in my inbox that modify LWP::Authen::Negotiate to make > direct use of the SSPI-API, but I still have integrated the patches. > > Please let me know If you want me to forward the patches to you, > you can give it a try on your own. > > Sorry. > > Best Regards, > Achim > > On Thursday 29 November 2012, sam...@ba... wrote: > > Hi, > > > > Is it possible for LWP::Authen::Negotiate / GSSAPI to use the Windows > > credentials cache transparently? > > > > We have a Perl application making HTTP requests to an intranet web server > > (IIS). We need the app to authenticate with the server, but we don't want > > to > > > > - (store and) send the password > > > > - run kinit interactively. > > > > The reason is that the application runs non-interactively (as a Windows > > service), so any need to enter a password even once would defeat the > > purpose. > > > > I've installed MIT KfW, and got the GSSAPI unit tests pass, but I think > > there's more to it than that (setting up krb5.ini, perhaps running > > kinit.exe) and I'm not even sure this all will achieve what I need... > > > > Please advise. > > > > Thanks, > > Sam > > _______________________________________________ > > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. If you are not an intended recipient > of this e-mail, do not duplicate or redistribute it by any means. Please > delete it and any attachments and notify the sender that you have received > it in error. Unless specifically indicated, this e-mail is not an offer to > buy or sell or a solicitation to buy or sell any securities, investment > products or other financial product or service, an official confirmation of > any transaction, or an official statement of Barclays. Any views or > opinions presented are solely those of the author and do not necessarily > represent those of Barclays. This e-mail is subject to terms available at > the following link: www.barclays.com/emaildisclaimer. By messaging with > Barclays you consent to the foregoing. Barclays offers premier investment > banking products and services to its clients through Barclays Bank PLC, a > company registered in England (number 1026167) with its registered office > at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent > from other members of the Barclays Group. > > _______________________________________________ > > --------------------------------------------------------------------------- >--- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support Improve > your efficiency, and focus on delivering more value-add services Discover > what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > Perlgssapi-users mailing list > Per...@li... > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users |
|
From: <sam...@ba...> - 2012-12-04 08:39:17
|
Hi, Do I understand correctly that GSSAPI with MIT Kerberos can only work after some initial run of kinit involving entering the password? (This time I mean the question for both Windows and Unix.) If so, how is this usually architectured? When is kinit executed? At system startup? At user logon? With each process? Thanks, Sam -----Original Message----- From: Ferencik, Samuel: Markets (PRG) Sent: Thursday, November 29, 2012 9:23 PM To: 'ac...@gr...'; per...@li... Subject: RE: [Perlgssapi-users] SSO on Windows Hi Achim, Thanks for the quick response. Does this mean that it's not possible via GSSAPI & KfW? Yes, please forward the patches, I will give them a try. Direct integration with SSPI would be wonderful! Thanks, Sam -----Original Message----- From: Achim Grolms [mailto:ac...@gr...] Sent: Thursday, November 29, 2012 9:19 PM To: per...@li...; Ferencik, Samuel: Markets (PRG) Subject: Re: [Perlgssapi-users] SSO on Windows Hi Sam, As far as I know it is possible. I've patches in my inbox that modify LWP::Authen::Negotiate to make direct use of the SSPI-API, but I still have integrated the patches. Please let me know If you want me to forward the patches to you, you can give it a try on your own. Sorry. Best Regards, Achim On Thursday 29 November 2012, sam...@ba... wrote: > Hi, > > Is it possible for LWP::Authen::Negotiate / GSSAPI to use the Windows > credentials cache transparently? > > We have a Perl application making HTTP requests to an intranet web server > (IIS). We need the app to authenticate with the server, but we don't want > to > > - (store and) send the password > > - run kinit interactively. > > The reason is that the application runs non-interactively (as a Windows > service), so any need to enter a password even once would defeat the > purpose. > > I've installed MIT KfW, and got the GSSAPI unit tests pass, but I think > there's more to it than that (setting up krb5.ini, perhaps running > kinit.exe) and I'm not even sure this all will achieve what I need... > > Please advise. > > Thanks, > Sam _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Barclays. Any views or opinions presented are solely those of the author and do not necessarily represent those of Barclays. This e-mail is subject to terms available at the following link: www.barclays.com/emaildisclaimer. By messaging with Barclays you consent to the foregoing. Barclays offers premier investment banking products and services to its clients through Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent from other members of the Barclays Group. _______________________________________________ |
|
From: Achim G. <ac...@gr...> - 2012-11-29 21:50:31
|
Hi Sam, currently I am under high load (work&family) with no time for CPAN. The problem for LWP::Authen::Negotiate in detail I did not solve is to pull-in the proper dependencies for CPAN-Installer: a) If LWP::Authen::Negotiate runs on Windows the Win32:: dependencies must be pulled in installed b) If LWP::Authen::Negotiate runs on Unixiod and MIT/Heimdal the GSSAPI.pm dependencies must be pulled in. If there is any good idea how to write a proper Makefile.PL oder buildprocess please let me know. Best Regards, Achim On Thursday 29 November 2012, sam...@ba... wrote: > Achim, > > Thanks for the quick response. Do I understand correctly that a patch for > Win32::InitAuth is needed too? If so, could you please send it as well? > > When do you think this could be released? We can maintain a patched > version, but of course it would be better to have a proper released one. > > Thanks a lot, > Sam > > -----Original Message----- > From: Achim Grolms [mailto:ac...@gr...] > Sent: Thursday, November 29, 2012 10:12 PM > To: Ferencik, Samuel: Markets (PRG); per...@li... > Subject: Fwd: RE: LWP::Authen::Negotiate mods > > Hi Simon, > > find attached the code. > > Best Regards, > Achim > > ---------- Forwarded Message ---------- > > Subject: RE: LWP::Authen::Negotiate mods > Date: Friday 21 January 2011 > From: "Jason Taylor (Comsys Information Technology)" > <v-...@mi...> To: "pa...@gr..." <pa...@gr...> > > Oops...small correction attached. > > From: Jason Taylor (Comsys Information Technology) > Sent: Friday, January 21, 2011 12:24 PM > To: 'pa...@gr...' > Subject: LWP::Authen::Negotiate mods > > Achim, > > The attached tar file contains modifications to LWP::Authen::Negotiate that > causes it to use the first available module between Win32::InitAuth (SSPI > on Windows) or GSSAPI. It relies on some modifications to Win32::InitAuth, > also attached. Please feel free to use this as you see fit. > > Thanks, > Jason > > ------------------------------------------------------- > _______________________________________________ > > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. If you are not an intended recipient > of this e-mail, do not duplicate or redistribute it by any means. Please > delete it and any attachments and notify the sender that you have received > it in error. Unless specifically indicated, this e-mail is not an offer to > buy or sell or a solicitation to buy or sell any securities, investment > products or other financial product or service, an official confirmation of > any transaction, or an official statement of Barclays. Any views or > opinions presented are solely those of the author and do not necessarily > represent those of Barclays. This e-mail is subject to terms available at > the following link: www.barclays.com/emaildisclaimer. By messaging with > Barclays you consent to the foregoing. Barclays offers premier investment > banking products and services to its clients through Barclays Bank PLC, a > company registered in England (number 1026167) with its registered office > at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent > from other members of the Barclays Group. > > _______________________________________________ > > --------------------------------------------------------------------------- >--- Keep yourself connected to Go Parallel: > VERIFY Test and improve your parallel project with help from experts > and peers. http://goparallel.sourceforge.net > _______________________________________________ > Perlgssapi-users mailing list > Per...@li... > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users |
|
From: <sam...@ba...> - 2012-11-29 21:48:13
|
Hi Achim, No pressure. You've helped more than enough already! If this is just about Makefile.PL, why don't you simply test $^O and then set PREREQ_PM accordingly? Another question would be how dependencies are defined and tracked at CPAN (if you want to make the same distinction on http://deps.cpantesters.org/?module=LWP%3A%3AAuthen%3A%3ANegotiate). Is this a concern too? BTW, I've checked Win32-IntAuth 0.20 and it has the patch by Jason integrated. Thanks, Sam -----Original Message----- From: Achim Grolms [mailto:ac...@gr...] Sent: Thursday, November 29, 2012 10:34 PM To: per...@li...; Ferencik, Samuel: Markets (PRG) Cc: v-...@mi... Subject: Re: [Perlgssapi-users] LWP::Authen::Negotiate mods Hi Sam, currently I am under high load (work&family) with no time for CPAN. The problem for LWP::Authen::Negotiate in detail I did not solve is to pull-in the proper dependencies for CPAN-Installer: a) If LWP::Authen::Negotiate runs on Windows the Win32:: dependencies must be pulled in installed b) If LWP::Authen::Negotiate runs on Unixiod and MIT/Heimdal the GSSAPI.pm dependencies must be pulled in. If there is any good idea how to write a proper Makefile.PL oder buildprocess please let me know. Best Regards, Achim On Thursday 29 November 2012, sam...@ba... wrote: > Achim, > > Thanks for the quick response. Do I understand correctly that a patch for > Win32::InitAuth is needed too? If so, could you please send it as well? > > When do you think this could be released? We can maintain a patched > version, but of course it would be better to have a proper released one. > > Thanks a lot, > Sam > > -----Original Message----- > From: Achim Grolms [mailto:ac...@gr...] > Sent: Thursday, November 29, 2012 10:12 PM > To: Ferencik, Samuel: Markets (PRG); per...@li... > Subject: Fwd: RE: LWP::Authen::Negotiate mods > > Hi Simon, > > find attached the code. > > Best Regards, > Achim > > ---------- Forwarded Message ---------- > > Subject: RE: LWP::Authen::Negotiate mods > Date: Friday 21 January 2011 > From: "Jason Taylor (Comsys Information Technology)" > <v-...@mi...> To: "pa...@gr..." <pa...@gr...> > > Oops...small correction attached. > > From: Jason Taylor (Comsys Information Technology) > Sent: Friday, January 21, 2011 12:24 PM > To: 'pa...@gr...' > Subject: LWP::Authen::Negotiate mods > > Achim, > > The attached tar file contains modifications to LWP::Authen::Negotiate that > causes it to use the first available module between Win32::InitAuth (SSPI > on Windows) or GSSAPI. It relies on some modifications to Win32::InitAuth, > also attached. Please feel free to use this as you see fit. > > Thanks, > Jason > > ------------------------------------------------------- > _______________________________________________ > > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. If you are not an intended recipient > of this e-mail, do not duplicate or redistribute it by any means. Please > delete it and any attachments and notify the sender that you have received > it in error. Unless specifically indicated, this e-mail is not an offer to > buy or sell or a solicitation to buy or sell any securities, investment > products or other financial product or service, an official confirmation of > any transaction, or an official statement of Barclays. Any views or > opinions presented are solely those of the author and do not necessarily > represent those of Barclays. This e-mail is subject to terms available at > the following link: www.barclays.com/emaildisclaimer. By messaging with > Barclays you consent to the foregoing. Barclays offers premier investment > banking products and services to its clients through Barclays Bank PLC, a > company registered in England (number 1026167) with its registered office > at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent > from other members of the Barclays Group. > > _______________________________________________ > > --------------------------------------------------------------------------- >--- Keep yourself connected to Go Parallel: > VERIFY Test and improve your parallel project with help from experts > and peers. http://goparallel.sourceforge.net > _______________________________________________ > Perlgssapi-users mailing list > Per...@li... > https://lists.sourceforge.net/lists/listinfo/perlgssapi-users |
|
From: Achim G. <ac...@gr...> - 2012-11-29 21:27:20
|
---------- Forwarded Message ---------- Subject: RE: LWP::Authen::Negotiate mods Date: Tuesday 08 February 2011 From: Tho...@he... To: ac...@gr... Hello Achim, hello Jason, > find attached a patch of Win32::InitAuth written by > Jason Taylor that enables the module LWP::Authen::Negotiate > to make direct use of the SSPI if run on Windows-Environment. > > Can you give this a check if you can apply the changes > to the CPAN-Version of Win32::InitAuth? Thanks for the Patch. I'll integrate it into the next version. I'm a bit short of time at the moment, but I'll do it asap. Thomas Landesbank Hessen-Thueringen Girozentrale Anstalt des oeffentlichen Rechts Sitz: Frankfurt am Main / Erfurt Amtsgericht Frankfurt am Main, HRA 29821 / Amtsgericht Jena, HRA 102181 Bitte nutzen Sie die E-Mail-Verbindung mit uns ausschliesslich zum Informationsaustausch. Wir koennen auf diesem Wege keine rechtsgeschaeftlichen Erklaerungen (Auftraege etc.) entgegennehmen. Der Inhalt dieser Nachricht ist vertraulich und nur fuer den angegebenen Empfaenger bestimmt. Jede Form der Kenntnisnahme oder Weitergabe durch Dritte ist unzulaessig. Sollte diese Nachricht nicht fur Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. Please use your E-mail connection with us exclusively for the exchange of information. We do not accept legally binding declarations (orders, etc.) by this means of communication. The contents of this message is confidential and intended only for the recipient indicated. Taking notice of this message or disclosure by third parties is not permitted. In the event that this message is not intended for you, please contact us via E-mail or phone. ------------------------------------------------------- |
|
From: Achim G. <ac...@gr...> - 2012-11-29 21:26:25
|
---------- Forwarded Message ---------- Subject: LWP::Authen::Negotiate mods Date: Friday 21 January 2011 From: "Jason Taylor (Comsys Information Technology)" <v-...@mi...> To: "pa...@gr..." <pa...@gr...> Achim, The attached tar file contains modifications to LWP::Authen::Negotiate that causes it to use the first available module between Win32::InitAuth (SSPI on Windows) or GSSAPI. It relies on some modifications to Win32::InitAuth, also attached. Please feel free to use this as you see fit. Thanks, Jason ------------------------------------------------------- |
|
From: <sam...@ba...> - 2012-11-29 21:24:50
|
Achim, Thanks for the quick response. Do I understand correctly that a patch for Win32::InitAuth is needed too? If so, could you please send it as well? When do you think this could be released? We can maintain a patched version, but of course it would be better to have a proper released one. Thanks a lot, Sam -----Original Message----- From: Achim Grolms [mailto:ac...@gr...] Sent: Thursday, November 29, 2012 10:12 PM To: Ferencik, Samuel: Markets (PRG); per...@li... Subject: Fwd: RE: LWP::Authen::Negotiate mods Hi Simon, find attached the code. Best Regards, Achim ---------- Forwarded Message ---------- Subject: RE: LWP::Authen::Negotiate mods Date: Friday 21 January 2011 From: "Jason Taylor (Comsys Information Technology)" <v-...@mi...> To: "pa...@gr..." <pa...@gr...> Oops...small correction attached. From: Jason Taylor (Comsys Information Technology) Sent: Friday, January 21, 2011 12:24 PM To: 'pa...@gr...' Subject: LWP::Authen::Negotiate mods Achim, The attached tar file contains modifications to LWP::Authen::Negotiate that causes it to use the first available module between Win32::InitAuth (SSPI on Windows) or GSSAPI. It relies on some modifications to Win32::InitAuth, also attached. Please feel free to use this as you see fit. Thanks, Jason ------------------------------------------------------- _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Barclays. Any views or opinions presented are solely those of the author and do not necessarily represent those of Barclays. This e-mail is subject to terms available at the following link: www.barclays.com/emaildisclaimer. By messaging with Barclays you consent to the foregoing. Barclays offers premier investment banking products and services to its clients through Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent from other members of the Barclays Group. _______________________________________________ |
|
From: Achim G. <ac...@gr...> - 2012-11-29 21:12:21
|
Hi Simon, find attached the code. Best Regards, Achim ---------- Forwarded Message ---------- Subject: RE: LWP::Authen::Negotiate mods Date: Friday 21 January 2011 From: "Jason Taylor (Comsys Information Technology)" <v-...@mi...> To: "pa...@gr..." <pa...@gr...> Oops...small correction attached. From: Jason Taylor (Comsys Information Technology) Sent: Friday, January 21, 2011 12:24 PM To: 'pa...@gr...' Subject: LWP::Authen::Negotiate mods Achim, The attached tar file contains modifications to LWP::Authen::Negotiate that causes it to use the first available module between Win32::InitAuth (SSPI on Windows) or GSSAPI. It relies on some modifications to Win32::InitAuth, also attached. Please feel free to use this as you see fit. Thanks, Jason ------------------------------------------------------- |
|
From: Achim G. <ac...@gr...> - 2012-11-29 20:38:07
|
Hi Sam, As far as I know it is possible. I've patches in my inbox that modify LWP::Authen::Negotiate to make direct use of the SSPI-API, but I still have integrated the patches. Please let me know If you want me to forward the patches to you, you can give it a try on your own. Sorry. Best Regards, Achim On Thursday 29 November 2012, sam...@ba... wrote: > Hi, > > Is it possible for LWP::Authen::Negotiate / GSSAPI to use the Windows > credentials cache transparently? > > We have a Perl application making HTTP requests to an intranet web server > (IIS). We need the app to authenticate with the server, but we don't want > to > > - (store and) send the password > > - run kinit interactively. > > The reason is that the application runs non-interactively (as a Windows > service), so any need to enter a password even once would defeat the > purpose. > > I've installed MIT KfW, and got the GSSAPI unit tests pass, but I think > there's more to it than that (setting up krb5.ini, perhaps running > kinit.exe) and I'm not even sure this all will achieve what I need... > > Please advise. > > Thanks, > Sam > > _______________________________________________ > > This e-mail may contain information that is confidential, privileged or > otherwise protected from disclosure. If you are not an intended recipient > of this e-mail, do not duplicate or redistribute it by any means. Please > delete it and any attachments and notify the sender that you have received > it in error. Unless specifically indicated, this e-mail is not an offer to > buy or sell or a solicitation to buy or sell any securities, investment > products or other financial product or service, an official confirmation of > any transaction, or an official statement of Barclays. Any views or > opinions presented are solely those of the author and do not necessarily > represent those of Barclays. This e-mail is subject to terms available at > the following link: www.barclays.com/emaildisclaimer. By messaging with > Barclays you consent to the foregoing. Barclays offers premier investment > banking products and services to its clients through Barclays Bank PLC, a > company registered in England (number 1026167) with its registered office > at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent > from other members of the Barclays Group. > > _______________________________________________ |
|
From: <sam...@ba...> - 2012-11-29 20:23:04
|
Hi Achim, Thanks for the quick response. Does this mean that it's not possible via GSSAPI & KfW? Yes, please forward the patches, I will give them a try. Direct integration with SSPI would be wonderful! Thanks, Sam -----Original Message----- From: Achim Grolms [mailto:ac...@gr...] Sent: Thursday, November 29, 2012 9:19 PM To: per...@li...; Ferencik, Samuel: Markets (PRG) Subject: Re: [Perlgssapi-users] SSO on Windows Hi Sam, As far as I know it is possible. I've patches in my inbox that modify LWP::Authen::Negotiate to make direct use of the SSPI-API, but I still have integrated the patches. Please let me know If you want me to forward the patches to you, you can give it a try on your own. Sorry. Best Regards, Achim On Thursday 29 November 2012, sam...@ba... wrote: > Hi, > > Is it possible for LWP::Authen::Negotiate / GSSAPI to use the Windows > credentials cache transparently? > > We have a Perl application making HTTP requests to an intranet web server > (IIS). We need the app to authenticate with the server, but we don't want > to > > - (store and) send the password > > - run kinit interactively. > > The reason is that the application runs non-interactively (as a Windows > service), so any need to enter a password even once would defeat the > purpose. > > I've installed MIT KfW, and got the GSSAPI unit tests pass, but I think > there's more to it than that (setting up krb5.ini, perhaps running > kinit.exe) and I'm not even sure this all will achieve what I need... > > Please advise. > > Thanks, > Sam _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Barclays. Any views or opinions presented are solely those of the author and do not necessarily represent those of Barclays. This e-mail is subject to terms available at the following link: www.barclays.com/emaildisclaimer. By messaging with Barclays you consent to the foregoing. Barclays offers premier investment banking products and services to its clients through Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent from other members of the Barclays Group. _______________________________________________ |
|
From: <sam...@ba...> - 2012-11-29 17:51:46
|
Hi, Is it possible for LWP::Authen::Negotiate / GSSAPI to use the Windows credentials cache transparently? We have a Perl application making HTTP requests to an intranet web server (IIS). We need the app to authenticate with the server, but we don't want to - (store and) send the password - run kinit interactively. The reason is that the application runs non-interactively (as a Windows service), so any need to enter a password even once would defeat the purpose. I've installed MIT KfW, and got the GSSAPI unit tests pass, but I think there's more to it than that (setting up krb5.ini, perhaps running kinit.exe) and I'm not even sure this all will achieve what I need... Please advise. Thanks, Sam _______________________________________________ This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any securities, investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Barclays. Any views or opinions presented are solely those of the author and do not necessarily represent those of Barclays. This e-mail is subject to terms available at the following link: www.barclays.com/emaildisclaimer. By messaging with Barclays you consent to the foregoing. Barclays offers premier investment banking products and services to its clients through Barclays Bank PLC, a company registered in England (number 1026167) with its registered office at 1 Churchill Place, London, E14 5HP. This email may relate to or be sent from other members of the Barclays Group. _______________________________________________ |
|
From: Achim G. <ac...@gr...> - 2011-08-06 10:46:15
|
Hi Karl, On Friday 05 August 2011, Karl Forner wrote: > Hello, > > I' d like to implement an intranet web app using perl and the server-side > (but no Apache server) and windows client using either firefox or IE. > I' ve read some documents about SPNEGO but I do not know where to start: > > - I am not an admin of the the windows domain, I do not even know how to > find out which is the pdc, bcd, kdc etc... Nevertheless you need admin-access to the DC to create the required SPNs, see <http://www.grolmsnet.de/kerbtut/>. > - the server is running on a linux computer on which I am not root > either. Unless you try to bind your Service to a port < 1024 this can work. > - First question: is-ti feasible ? I suppose so, years ago I've written a POP3 server using Perl and GSSAPI. > - second one: where do I start ? 1. Read <http://www.grolmsnet.de/kerbtut/>, I've tried to describe the concepts. 2. Read the sources of mod_auth_kerb as an example how this can be implemented for HTTP-based communication. Best Regards, Achim |
|
From: Karl F. <kar...@gm...> - 2011-08-05 18:06:31
|
Hello, I' d like to implement an intranet web app using perl and the server-side (but no Apache server) and windows client using either firefox or IE. I' ve read some documents about SPNEGO but I do not know where to start: - I am not an admin of the the windows domain, I do not even know how to find out which is the pdc, bcd, kdc etc... - the server is running on a linux computer on which I am not root either. - First question: is-ti feasible ? - second one: where do I start ? - I' ve tried something taking some code and logic from Apache2::AuthenNTLM with firefox but it goes into an infinite loop: the browser always send the same gss-data no matter what I send it back Any help will greatly be appreciated. Thanks Karl |
|
From: Achim G. <ac...@gr...> - 2011-05-30 20:54:11
|
On Monday 30 May 2011, Markus Jansen wrote: > As said, the pure Perl solution uses the proper service/host combination, > but fails with TLS/SSL. Hi Markus, is this the same behaviour described in <https://rt.cpan.org/Public/Bug/Display.html?id=63480> ? Thank you! Best Regards, Achim |
|
From: Achim G. <ac...@gr...> - 2011-05-27 19:48:45
|
On Friday 27 May 2011, you wrote: > Hi, > > I got somewhat stuck while trying to make Net::LDAP using > Authen::SASL::Perl::GSSAPI. Hi Markus, I've made a Net::LDAP example at <http://perl.grolmsnet.de/authensasl/index.html#netldap> Does this work for you? Best Regards, Achim |
1 message has been excluded from this view by a project administrator.
