Passwordless ssh login using kerberos in Directory Server 5.2

Similar Messages

• Help!! How to install and use Sun ONE Directory Server Resource Kit 5.2

  Hi ! Friend:
  I have some problem on install and use Sun ONE Directory Server Resource Kit 5.2, when I execute "java DSRK", afterwards something like this : com.iplanet.install.until.wbResource::gerstring:resource bundle"locale.resources.S1DSRKResource" not found appeared in the window ,that's why?
  Meanwhile ,can you give some data about it on how to use it ?
  Thank you !

  You should be aware of the following characteristics of your directory when using this tool:
  Size and number of entries.
  Directory structure and access permissions.
  Virtual attributes, class of service, and indexing.
  Usage, types of access, and access patterns.
  Post your error messages completely.
  Thanks
  --Britto                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Issue w/ Case Differences Using the IBM Directory Server MA

  We have the following issue using the IBM Directory Server MA using FIM 2010 R2 (Version 4.1.3479.0).
  We provision a new object, e.g., uid=jdoe,ou=users,o=contoso, into an instance of IBM Directory Server
  The object is created in IBM Directory Server as uid=jdoe,ou=users,o=contoso
  A Full Import on the IBM Directory Server MA runs and confirms the export
  Subsequent imports, sync, and exports run successfully
  <Time passes>
  A Full Import on the IBM Directory Server MA runs, and this object shows up as a staging-error (uid=jdoe,ou=Users,o=contoso)
  Subsequent imports and syncs report errors on this object (staging-error)
  Note that we do not manipulate the anchor (DN) of this object once it is created in IBM Directory Server. Other attributes are synchronized, but the object is never renamed/moved. This case change does not happen with all of the objects brought
  in during the Full Import, but the number of instances do increase periodically. At this point, it does look like the import is changing from a lowercase "u" to an uppercase "U" but not vice versa.
  I found a related
  TechNet article containing the following remark:
  "IBM Directory Server does not guarantee that the case of a DN component will match in all instances. On a synchronization or import from IBM Directory Server, this can manifest itself as an unexpected update. For example, if you create
  O=TEST, and then create the user cn=MikeDan,O=TEST, this might be imported from IBM Directory Server as
  cn=MikeDan,O=test. Because of the case difference, FIM treats this as an update on subsequent full imports."
  Unfortunately, the article does not propose a resolution.
  Has anyone encountered this issue? More importantly has anyone resolved this or found an acceptable workaround?
  Note that deleting the connector space is not an acceptable workaround. :)

  I remember experiencing this issue when we were on 5.0, and I believe it persists through 5.1 as well.
  There is a comment in the 5.2 release notes that something similar was fixed:
  Changing case sensitive attribute values failed in MMR. (4624693)
  If I had to take a wild guess, I would say that the server does some internal checking to see if the value has changed, possibly based on the attribute syntax, to avoid replicating "changes" that really don't change anything except case. I doubt that all your custom attributes are case-sensitive, though. Enabling replication probably "turns on" this behavior, which doesn't go away even if replication is disabled.
  In any case, you're probably out of luck unless/until you upgrade to 5.2.

• Use of configuration directory server

  Maybe this is a dumb question but since I dont know the answer:
  Does one need to buy a production license of the Directory Server to use as a configuration directory server?
  I will have six web servers in my production environment. But only one or two admin user accounts for secure access.
  Thank,
  -amit

  Both 2005Q1 and 2005Q4 are considered 6.2. I would
  use 2005Q4. Actually, I DID use 2005Q4.
  Why use bits that are already superceeded? Is it the
  cost of 4 CD's?So, can this happen in two separate stages?:
  1. First upgrade all directory servers to 5.2p4 and migrate the current messaging server 5.2 configuration.
  2. At a later date, once directory services have been upgraded and are stable, the upgrade of the messaging server can be done.
  Thanks

• How do I use Kerberos Auth in Java 6?

  Hi,
  I have a problem with the Kerberos authentication. I have a simple class that tries to connect to an LDAP server using Kerberos. It works great when I use java 5, but with java 6 it fails.
  Here is part of the code:
          System.setProperty("java.security.auth.login.config", "/etc/login.conf");
          System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
          System.out.println("Trying to login using kerberos...");
          KerberosCallbackHandler kerberosCallbak = new KerberosCallbackHandler();
          LoginContext loginContext = new LoginContext(loginContextName, kerberosCallbak);
          loginContext.login();
          System.out.println("Login succeeded");
          //Login succeeds on both java 5 and java 6
          Subject.doAs(loginContext.getSubject(), new JndiAction());
          System.out.println("Connected through Kerberos successfully");The failure happens in the JndiAction:
      public class JndiAction implements PrivilegedExceptionAction<Integer>
          public Integer run() throws Exception
              String username = user + "@" + domain;
              System.out.println("User to connect to Kerberos is " + username);
              System.out.println("Provider URL is: " + url);
              Hashtable<String, String> env = new Hashtable<String, String>();
              env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              env.put("java.naming.ldap.derefAliases", "finding");
              env.put(Context.PROVIDER_URL, url);
              env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
              System.out.println("Trying to create context...");
              new InitialLdapContext(env, null);
              return 0;
      }An exception occures when calling new InitialLdapContext:
  Exception in thread "main" java.security.PrivilegedActionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.Subject.doAs(Unknown Source)
          at KerberosAuth.connectKerberos(KerberosAuth.java:71)
          at KerberosAuth.main(KerberosAuth.java:29)
  Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
          at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
          at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
          at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
          at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
          at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
          at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
          at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
          at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
          at javax.naming.InitialContext.init(Unknown Source)
          at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
          at KerberosAuth$JndiAction.run(KerberosAuth.java:155)
          at KerberosAuth$JndiAction.run(KerberosAuth.java:1)
          ... 4 more
  Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
          at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
          ... 18 more
  Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
          at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          ... 19 more
  Caused by: KrbException: Server not found in Kerberos database (7)
          at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
          at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
          at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
          at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
          ... 22 more
  Caused by: KrbException: Identifier doesn't match expected value (906)
          at sun.security.krb5.internal.KDCRep.init(Unknown Source)
          at sun.security.krb5.internal.TGSRep.init(Unknown Source)
          at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
          ... 27 moreI want to emphasize that the login function did succeed, and that I try to connect to the same server with the same username and password and same configuration. With java 5 it works, with java 6 it does not.
  Does anybody know what I should do to solve this problem?
  TIA,
  Dikla

  Note: This thread was originally posted in the [Java Secure Socket Extension  (JSSE)|http://forums.sun.com/forum.jspa?forumID=2] forum, but moved to this forum for closer topic alignment.

• Roles in Directory Server?

  Does access manager support the role mechanism used by Sun directory server 5.2 and above? Are there any inconsistencies that I should be aware of. I would like to set up roles in the directory and use access (and identity) manager in the future.

  Please check Access Manager Admin guide on page 87.
  ftp://docs-pdf.sun.com/817-7647/817-7647.pdf
  Copy from above manual. Jerry
  Roles are a Directory Server entry mechanism similar to the concept of a group. A group has members; a role has members. A role�s members are LDAP entries that possess the role. The criteria of the role itself is defined as an LDAP entry with attributes, identified by the Distinguished Name (DN) attribute of the entry. Directory Server has a number of different types of roles but Access Manager can manage only one of them: the managed role.

• Can IdM be used as LDAP directory and UME datasource?

  Hi,
  I am trying to figure out what IDM can and cannot do.
  Can IDM be used as a LDAP datasource in its own right for a SAP Portal for example?
  Or do you still have to use an external LDAP directory and IDM is then only used to pull everything together from all systems?
  Thanks,
  Adriaan

  Hi Adriaan,
  it should be tecnically possible to use the Virtual Directory Server as a LDAP datasource for portal, but you probably have to edit the datasource.xml of portal and the connection.
  I'd rather use the portal database or a dedicated LDAP for that and use IdM to provision into this repository.
  Regards,
  Andreas

• Directory server and freeradius

  Hello guys
  Does anyone used freeradius with directory server for wifi authentication ? Which password scheme works with freeradius i dont want use cleartext with directory server.

  As far as freeradius uses BIND operations instead of searching for the userpassword attribute, you should be able to use
  any scheme.

• Upgrading  iplanet 4.1 directory server to 5.0

  Dear all
  Problem goes like this:
  We have netscape messaging server 4.1 ,directory server 4.1 running on NT box
  we want to upgrade our mail server to 5.1 and directory server to 5.0 .
  how can i get a pack of mail server 5.1 with directory server 5.0.
  we are thinking to shift the system to Solaris also.
  i tried first loading directory server 5.1 on solaris and then loading messaging server on the same system but using the existing directory server option . then migrating the users from old directory server to 5.1 .
  when we are loading the 5.1 on solaris it's straight forward and it's getting loaded but when installing messaging server on the same system we got a problem saying that serious problem occured while installing admin server ....
  and coming out.

  Hi Phil,
  To ensure its not permissions I'd grant the EUL Owner
  the "Select Any Table" database priv and then try
  again.
  If it still fails I would then perform a database
  trace of the session to get more details.
  Finally, if that fails I would create a new 3.1 EUL
  and export/import all of your business areas into
  that EUL and perform the upgrade to 4.
  Thanks,
  JeffHi Jeff,
  I'll try your suggestions.
  I also did a Business Area refresh which fixed a few definitions that no longer existed but when I ran the upgrade again I got the same error.
  Thanks.
  Phil.

• License for implementation of Kerberos in Weblogic server

  Hi All,
  We have to implement Kerberos in our ADF application in oracle 11g release. I want to know if there is any additional licensing requirement to use Kerberos with Weblogic server?
  Thanks
  Tinto Chacko

  Hello Tinto,
  We configured Kerberos SSO for one of the client site, don't re collect that we had to do anything with licensing. It's always better to check with the Licensing teams/sales teams from oracle for this kind of questions. As the licensing terms varies.
  Thanks,
  Rajiv.

• Sun Directory Server role support?

  I would like to set up roles in the sun directory and use the identity manager in the future. Does identity manager support the role mechanism used by Sun directory server 5.2 and above? Are there any inconsistencies that I should be aware of?
  Also, AFIAK Active Directory does not support multi-valued DN's as attribute values. If I use identity manager to sync Sun DS with AD will user entries with multiple Sun DS roles become a problem?

  We are in intial stages of design. Yes that was the goal to take the roles from Sun DS and use them in AD by way of identity manager. I am new to identity manager, so there may be a mapping instead of a direct push.
  The Sun DS roles are operational attributes and I am not sure how identity manager sees them or supports them. I guess if it can see tham then it can map them to anything.

• Using SSH login to create Kerberos ticket?

  Hello everyone,
  Using a 10.5 server with Kerberos and GSSAPI, is it possible to get Leopard to take the passphrase used for a user to log in via SSH and have it use that to acquire a new Kerberos ticket?
  This would mean that you only have to type in your password once... and not twice (once for SSH and another for the kerberos ticket).
  I googled around a bit and I'm at a complete loss. Is this possible under Leopard?
  Thank you!

  If I understand correctly, you want your users to be able to login to ssh via Kerberos?
  Yes, but by default it is turned off in the client. You need to enable GSSAPIAuthentication with this configuration statement:
  GSSAPIAuthentication yes
  You can do it at a user level by entering this into ~/.ssh/config
  Or at a workstation level by entering it in /etc/ssh_config (NOT sshd_config)

• Directory server 6.3 client and using useradd

  Is it possible to add a user locally via the useradd command when the client is bound to a directory server in which the userid already exists?
  Here is my pam.conf:
  #ident "@(#)pam.conf 1.28 04/04/21 SMI"
  # Copyright 2004 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth required pam_unix_cred.so.1
  login auth required pam_unix_auth.so.1
  login auth required pam_dial_auth.so.1
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth required pam_unix_cred.so.1
  rlogin auth required pam_unix_auth.so.1
  # Kerberized rlogin service
  krlogin auth required pam_unix_cred.so.1
  krlogin auth binding pam_krb5.so.1
  krlogin auth required pam_unix_auth.so.1
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_cred.so.1
  # Kerberized rsh service
  krsh auth required pam_unix_cred.so.1
  krsh auth binding pam_krb5.so.1
  krsh auth required pam_unix_auth.so.1
  # Kerberized telnet service
  ktelnet auth required pam_unix_cred.so.1
  ktelnet auth binding pam_krb5.so.1
  ktelnet auth required pam_unix_auth.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_unix_cred.so.1
  ppp auth required pam_unix_auth.so.1
  ppp auth required pam_dial_auth.so.1
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authentication
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth required pam_unix_cred.so.1
  other auth required pam_unix_auth.so.1
  # passwd command (explicit because of a different authentication module)
  passwd auth required pam_passwd_auth.so.1
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1
  other account required pam_unix_account.so.1
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1
  other password requisite pam_authtok_get.so.1
  other password requisite pam_authtok_check.so.1
  other password required pam_authtok_store.so.1
  # Support for Kerberos V5 authentication and example configurations can
  # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
  Thanks,
  Anderson

  This depends on nsswitch.conf settings, not on your PAM settings.
  Your PAM settings will determine what happens at login time.
  nsswitch.conf will determine which naming service is used to retrieve
  (or store) naming information.
  You might want to set "files" rather than "ldap" first for the "users" map.
  /DP

• Os 10.4.8 open directory server login

  I have an xserve os 10.4.8 running open directory. Logins are working well from 10.4.8 clients. But the imac 10.3.9 clients do not mount the users custom desktop. Any reason why?

  That's the odd thing though. I've done this with 10.4 no problem. Settings always worked. For some reason though, even though the clients are able to login using a network user, none of the preference settings sync.
  For example - I always put a loginwindow message on as a sort of "test" to see if preferences are being set. If that works, then I rarely have a problem. No matter what I do, though, I cannot get the loginwindow message to display on the 10.3 clients. It works really well on 10.4, but not at all on 10.3. I've tried this on multiple 10.3 machines, as well, (and they're both based on different system images) but it still doesn't work. When I get back to work on Friday, I'll have to see if preferences will work for network users; that's the one thing I haven't tried.
  Other than dumping the directoryaccess preferences, is there another preference setting that could be dumped on the client that may make it grab prefs from the server?

• Linked server using kerberos working fine then after inacitive for 10 minutes start receiving the anonymous logon error

  Linked server using kerberos working fine but after leaving the session inactive for 10 minutes is startin to fall down to ntlm and receive the anonymous logon error

  we are connecting to  SQL mgmt studio app published on citrix, using  Windows authentication and Kerberos to forward the credentials to the linked servers and avoid the double hop issue, that part is working fine,  we already have the Constrained
  delegation, SPNs and Active directory settings for the Service accounts and the authentication is working, we can connect to the linked servers without errors, it's only whe the Session get idle when we faced the issue, the citrix team already have verifyed
  any timeout setting and they mentioned there is no 10 minute timout setting anywhere,  we also looked at the Kerberos AD Global policy settings to see if maybe the kerberos service ticket was expiring, but the configured values are  Maximum lifetime
  for service ticket 600 minutes  Maximum lifetime for user ticket 10 hours  Maximum lifetime for user ticket renewal 7 days, if you have any other suggestion please let me know.