Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Facts are stubborn, but statistics are more pliable.

devel / comp.protocols.kerberos / Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

SubjectAuthor
o Server settings from /etc/krb5.conf used despite KRB5_CONFIG setAndrej Mikus

1
Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

<mailman.54.1652123060.8148.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=249&group=comp.protocols.kerberos#249

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: a-krb5u...@mikus.sk (Andrej Mikus)
Newsgroups: comp.protocols.kerberos
Subject: Server settings from /etc/krb5.conf used despite KRB5_CONFIG set
Date: Mon, 9 May 2022 21:03:46 +0200
Organization: TNet Consulting
Lines: 26
Message-ID: <mailman.54.1652123060.8148.kerberos@mit.edu>
References: <20220509190346.GA1253591@mikus.sk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="10386"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: <kerberos@mit.edu>
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=mikus.sk
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652123057; cv=pass;
b=Mng89H+P9rnMSw5Bm7DE8MSDfhYuogV4L/vop/Duc7w6sP2uKSpKuvLih/IPjNYK/LXetI0igjQqsh5cSQTQ2tXPBXutoT7JMOi7jXvfer4G1SBWakoWEP+Va5GmjwQZBHa3ZHO11UBBerPrpfSG5RhyTkoiRTw62ntdNniYmNRyb+jmDDCDVyCqUMbouK5/re7jseIGwZJMnrwLrNp47wa3g7n64NMb3nOCa87EPVpln2SuFAcRwik7MRfHVgtm0lv8xo20ZEIDskysLbwUWOGGHMPUhAhTty/xNI590+NVK8ddOtNdHESIkuvcIKRmr9OfdDs7QvAOe0XXd/fHsg==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1652123057;
c=relaxed/relaxed; bh=7Cevv5z21ACUVTMjORzujYee2XrMpr+vegwB+eQS/kg=;
h=Date:From:Subject:Message-ID:MIME-Version:Content-Type;
b=Ml7Etrt7ZtjqCc02tX+PtpAXz8FEJJdsCq4zcoetXL5K21Ja/a0hiLLe126PeON+Ig0+SZWlAG7yDUsjphFWMNCF1wxSS5mWH6my5hoOt3If5VURkBarvcPispsf9MgaN6ak1pfsNA8X9wc2H0LRRLOI20v8OQ0ibHnrQTMx9/1bThz5/9uZ72ucnc0RpCK+L4Z4gg3AN/ElAPm78cEQegodnmheH4GtLjqXu6ynv99KBbkKW1kZ2CYCgyzo3WJqilKbA9L09Exr+Nl/HG02H72JiiE/I9PzrK6W1ihKi31MkiR2ZgX2rGSJu8sn3/+tsFidccHUkGFFNjoc2O71zQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=jH6yWqoW; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=jH6yWqoW
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Nx0IQUeQ2hciu+K0+8hw0XXMT+dQaRMAag0cwP63JhesJp/r7qwfUc1k/Vr8Ie5VrzH4MT36pjf3jDBI08T42ILZkcmG4mqilB3uCPhA4/8sr9JBDPDbgxUrOE6KJjcljsHdRRHizgQVgW6OxrsoaF/Y9KtVQtzcgk9YvcYeyhpc+/tnaH89hlbO/6B1kVi5a3tNAq8a9YXEri61GI2TIV26kyHNQOl6OKD/Kuf3z8Ydslb2kzSynQ1G9Cn+SLwciMGU6ecAbUbVdCjl+UGU5KL+sXzmYXyxapyvHmMhA9N1c0xbHg/QyY4+uZQTCFIU3JuhPKxYCK2K0oPHXAwf0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=7Cevv5z21ACUVTMjORzujYee2XrMpr+vegwB+eQS/kg=;
b=JBpukcRBejCeSP7yZAigXP5wGhWD70VnnH/I2AP70ILLYqkaceyzArN1qKhZ/M2hHvGsTOhbtoTZenMTL0RDy66bfL02MGGEda5Xr/v6YPoVXIY7/UV+qgJu3iMaQvoJ9NOAf9FWJWiOCcDH3nUBUDbxZK7RIFA5j0ecixEQfABBK99xTKm+SrqhuxEOBG0GzCCckgcBuHv6uN4wN9DH2p7Ocn8TgjUJQn5wWhJ/DUH6KtspHFzSYhhj73OhcscyCd0tMd2i/hW4ZQtWZInPKUm7jfG6/L0LMVcOpwhRVoJUupio0QsmRdJJzEGuEoqtvTxjkKtii013l2vU4wcoPA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
185.50.213.245) smtp.rcpttodomain=mit.edu smtp.mailfrom=mikus.sk;
dmarc=bestguesspass action=none header.from=mikus.sk; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=7Cevv5z21ACUVTMjORzujYee2XrMpr+vegwB+eQS/kg=;
b=jH6yWqoW49lZ4UeVj1FAxOpyCY8ny7agzEwvq7/GFNJd7X4IOw0Py5gqzbuUS6rgjtBOPJIznFB3IP6CrmwKcCvR10RI9IaYdudzx8jZfbqNVoHko07PJV2Yi3D9+i7UBdoYbDFNsYMrShrCckFKv1OGezxMtBFuAaodDXj1GKE=
Authentication-Results: spf=pass (sender IP is 185.50.213.245)
smtp.mailfrom=mikus.sk; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=mikus.sk;
Received-SPF: Pass (protection.outlook.com: domain of mikus.sk designates
185.50.213.245 as permitted sender) receiver=protection.outlook.com;
client-ip=185.50.213.245; helo=brb.mikus.sk;
Content-Disposition: inline
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 351636be-b421-4e83-d8c3-08da31eea5bf
X-MS-TrafficTypeDiagnostic: BN6PR01MB2433:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BN6PR01MB2433543E7D75B3CDEE78683EB6C69@BN6PR01MB2433.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: IZ/4f9p+RQ4tZIq/Io7DKOHSmV/hD5d703kjS1z70eCylqiUzz1//6xmLqSTIslyIVUERfo45yQwHWn13NA0wJFgNhw32XL9+FkQPnMAYkfI30UDMZhOijQ6EhdL3bsvg63JOEKudRKnZ1soS4oRr5dqKkDjVUZq15JFMbWuWBR9pZkVXQOo5jkiM7edPiORwNtgyE3IYaTdkimtAW1LI8mzdd/sBqrY5YOsxResELchLL2lO5rMMsReDF/ln1CSOOvGny4hUwiPYrob1UlWF4P3CtFkrdbPFNgkAjX6ZXwYZFFOn/F+i5BS7pYNqIYkif6TBZJ5FT/VyJ4rY03+k5xS0yETI+qtpVSzfh1ENoAswneKZQYE2Lb2sfN1HrxFNe1r6rHUPOhip9O3j7jEgXJf/91ng2B55QkxnfYczxT45WLzJ0vDX18ny1Ifj6F/4p0E4eN0VDMDPin6lNNdu5LoKSTZr9S6nOPInJ3f9YoHtR41BLXptnb0Dc8ehqnWNl9j3r/V8lFLfeLviWQ7JkY5TfluCPk2isGMW/ZHwtgPj7ekUZQuoFb13WV9UfFXWk279ZL0vRWpsgdNBnS0cz7DDSmoJE8Dv/Ux6gQ9rDIpAAdrvt9tQKOfl7OwfX6Zh1vbz4mYw524p0O7AOXfnnlGKexjDLZzqiy9dqhFNBbyWQZOK2VC2d0qA6bqQWvESrPu0In46dtXWiqIGLUnMQ==
X-Forefront-Antispam-Report: CIP:185.50.213.245; CTRY:SK; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:brb.mikus.sk; PTR:brb.mikus.sk; CAT:NONE;
SFS:(13230001)(4636009)(508600001)(426003)(336012)(966005)(26005)(1076003)(86362001)(2906002)(5660300002)(2616005)(7596003)(36756003)(356005)(7636003)(83380400001)(34206002)(70586007)(42186006)(786003)(68406010)(8676002)(33656002)(316002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 May 2022 19:03:47.5075 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 351636be-b421-4e83-d8c3-08da31eea5bf
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT065.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR01MB2433
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <20220509190346.GA1253591@mikus.sk>
 by: Andrej Mikus - Mon, 9 May 2022 19:03 UTC

Hi,

I would like to request comment/suggestion for a problem that resembles
https://stackoverflow.com/questions/33132768/kerberos-still-using-default-etc-krb5-conf-file-even-after-setting-krb5-config

As a linux user, I am trying to access IIS website protected by
Kerberos. Linux is managed by different team than AD, both are using
their own Kerberos servers, and for some reason they use equal
domain/realm name.

I am pointing KRB5_CONFIG to a file with correct KDC address/name, but
kinit always refers to the IP specified in /etc/krb5.conf.

It is my understanding that setting environment variable overrides any
use of files in /etc, also the test scripts in the code distribution
suggest this.

The environment variable and authentication works well when using
a system that refers to in a different Linux domain in /etc/krb5.conf so
for now I can access the AD from there. Still would like to understand
what is going on on the other Linux system.

krb5-libs.x86_64 krb5-workstation.x86_64 1.18.2-14.el8 from RHEL8

Regards
Andrej

devel / comp.protocols.kerberos / Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor