We have an AD group 'foo'. User Abe is added to it using AD tools.
I cannot see this user in the group using vastool on Solaris. And of course the user cannot login.
$ vastool list groups | grep foo
foo:VAS:2010:john.doe@na.company.com,harry.who@na.company.com
$
I've executed vastool flush to no affect.
What am I doing wrong?
By enabling logging, I see that authentication info is not found in the cache, when AJAX call is made, so vsj java filter is redirecting for authentication token. User is already authenticated and established a user session.
Any help is appreciated.
Thanks
-Apparao
I'm using Wyse T50 with brazilian ABNT2 keyboard(pt-BR) and the key "."(point) in numeric keyboard does work inside rdpclient. It works fine with console and other apps outside rdpclient but not inside. Using rdpclient with parameter --lx-debug helped to get the keycode 0x79 but I do not how to fix it. I installed Remmina/Rdesktop and all the keys works fine, so I guess the problem is with Wyse-rdpclient/RDP.
Any idea?
Thanks in advance
We are trying to use the vsj servlet filter in one of the vendor supplied web application, where we can not include vsj-federation.properties file as part of the deployments.
Is there alternate way of providing "fsProxy", "applicationUrl" and "fsCertificate" properties to the filter?
Hi all,
- I have a Web Server configured with 2 Apache Instances, each instance running as different user and port.
- I configured the VAS module for Active Directory Authentication on both instances
- So, now, the problem, is that in one instance the VAS authentication is working really good, and in the otherone,
we're having problems. It's always requesting Credentials when you try to access any websites hosted on this second instances.
The strange thing is that in the first instance, every website is working correctly and it's taking credentials automatically from browser.
Have anyone seen this kind of behavior?
Thanks in advance,
Obed N Munoz
I am using Quest Authentication Services to integrate my Linux systems with our lab domain. I want to use the cached kerberos tickets to authenticate without providing a password when mounting an exported SMB share using the command 'mount -t cifs <device> <dir> -o sec=krb5'. My understanding is that when request-key is called by the kernel cifs.upcall is used to locate the cached kerberos ticket. The problem I am having is that when I directly call cifs.upcall with the uid of the user it does not return anything and it has an exit code of 1. If I look at /var/log/messages I see the following log message related to the call.
Jun 19 09:55:03 merlin cifs.upcall: keyctl_describe_alloc failed: Required key not available
Per the cifs.upcall man page I added the following two lines to request-key.conf
create cifs.spnego * * /usr/local/sbin/cifs.upcall %k
create dns_resolver * * /usr/local/sbin/cifs.upcall %k
BK
Hi all.
I'm currently looking at adding Macs to our Active Directory using QAS. Our users all use SmartCards to authenticate, and getting that working in OS X is the primary reason that I'm looking at QAS.
After some work I've arrived at a working configuration, but I have a few questions.
* Logging on using cached credentials doesn't seem to work. If the computer isn't attached to the internal network I only get the "password box shake" when I enter the SmartCard PIN. No other error.
* Local authentication doesn't seem to work. The user is a local admin, but whenever I press a padlock I get a username/password dialog, not a SmartCard PIN dialog. The same thing happens when the screensaver starts.
* SUDO asks for a password, not a PIN.
What am I missing?
Thanks,
Fredrik
Hi,
Looking for some help and advice.
I have a Active Directory that I administer and can install Auth Services into. Within this AD I have some admin users that need access to Redhat machines, all no problem with Auth Services. However, my question is this.
If the AD at the other end of the Trust has users that I need to "Unix Enable", so they can also access the RedHat machines using their AD accounts, is that possible?
Note - the other AD is managed by another company and I have no possibility of getting anything installed or changed other than a trust established.
Can anyone help/suggest if this is possible?
Thanks,
Steve
Hi,
We have been using winSSPI.dll on client side from 3.2 package. This dll is not working anymore in JDK 7.
The exception trace as follows :
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: OS name = 'Windows 7', version = '6.1'
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: [init]: isKerberosOS = true, isSessionKeySupported = true
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: calling native method ...
[winSSPI.dll] initialize
[winSSPI.dll] initialize: done
[INFO] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: initialize: Successfully initialized Windows SSPI
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: acquireCredentialsHandle: calling native method ...
[winSSPI.dll] acquireCredentialsHandle
[DEBUG] Mon Aug 26 14:30:10 CEST 2013 jcsi.kerberos: loadCredential: result = 0
Attempting initContext with principal: HTTP/appsec001.gaia.net.intra
initContext failed with principal: HTTP/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created
Attempting initContext with principal: HOST/appsec001.gaia.net.intra
initContext failed with principal: HOST/appsec001.gaia.net.intra error: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created
initContext failed with all attempted principals
java.security.PrivilegedActionException: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:373)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
at weblogic.security.Security.runAs(Security.java:61)
at security.role.TestKerberosEJBCall.main(TestKerberosEJBCall.java:32)
Caused by: javax.security.auth.login.LoginException: LoginException: java.security.PrivilegedActionException: GSSException: com.dstc.security.kerberos.winSSPI.WinSSPIMechanismFactoryU2S configured by WinSSPIGSS for GSS-API Mechanism Factory cannot be created
at com.quest.vsj.weblogic.login.EjbClientKerberosLoginModule.login(EjbClientKerberosLoginModule.java:107)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
at security.role.TestKerberosEJBCall$1.run(TestKerberosEJBCall.java:35)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
... 3 more
Any ideas if any newer version or patch is supporting both JDK 7 64 & 32 bit ?
Thanks in advance.