Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5394
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | Stefan Kania <stefan@kania-online.de> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: spn alias |
| Date | Sat, 8 Mar 2025 17:22:51 +0100 |
| Organization | Stefan Kania |
| Lines | 109 |
| Message-ID | <mailman.171.1741450992.2322.kerberos@mit.edu> (permalink) |
| References | <42e99884-8cae-4664-9f29-79cd49c5c5e7@kania-online.de> <CAGMFw4hjK8CHYJWOiQb9+AvHQXZHkA6C_21eRNOwx5y6XTefVg@mail.gmail.com> <CALF+FNwB=07CbW5Do4E+C-C6D8T3bXhUX4PMHbkdnwGT9ewXfw@mail.gmail.com> <202503070110.5271AcT0029382@hedwig.cmf.nrl.navy.mil> <6893835c-f79b-4e13-bb25-9c872b5e77b1@kania-online.de> |
| MIME-Version | 1.0 |
| Content-Type | multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080904010107000603090700" |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="16695"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| To | kerberos@mit.edu |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=m3AXWjoa; dkim=pass (2048-bit key, unprotected) header.d=kania-online.de header.i=@kania-online.de header.a=rsa-sha256 header.s=MBO0001 header.b=LDE+wl5a |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vRZIocYHCUfAGbfHmAuK10RXMfZ8F/o5xCUBwHNk2kJR9gjE2CL1LxY/S9A2ENZT4jfh7Z1zfBEmJZZLDcBq2vm3oGgDEa5DfrjyNUlm7KLFkG/TFe7FlKlDnP3y2F6klYAiuiHFpI/zPgxhw0hz283IYVxXyj1lgrvqLw38NgyLeqEIAjNP/SZEYXhmRNwnMZhRw2FPHsmCHrZFZjQDoQYGEHGVs0gt48pcaWMNAIcs8O7Ctsrzg9XW3CYmgx+g4SJPmKraLn3mk7PuDyYdVl+aikMQ1DXBxG2L7tdlvw7TFe8XUmdOlOralGe+aToNKxe3aqMWn7R5dXzuh5t7+w== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=zzovLVXDP5gvBbDd7IleLiTJ2RikF9/r8lpX7Pd+4Ok=; b=qVVsmd45Fs/XshnrFF7G5zVQ/snvbZcjtDGtUt1NQaI0MwynQDGADtlARBksa9qGGloiE7P0Vb3buo8GvOWx5cOdohX1qejJ6Rm6V53mRlK++f45mQCJvE2cYcJPwEcPlUMNSThi5Q6fi9Xh2AK2xNTyssNd1gpnMeh+xYebTYrQ0t7j02siTo1JLzU31aCTSdyg2n6zUFYq/d5bp4K/EA7m23da20yz6bBObD36PZ6fSwn2iBUWtTGlTZqOUHxS0rNJx0/MvlJVGYEZ7JJSFI1IfvukbM19dloDCBN9Sozyu815oEeVp4jIyzBxxwvSktgCWWMRoe6VD0ywuu4Jmg== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 80.241.57.33) smtp.rcpttodomain=mit.edu smtp.mailfrom=kania-online.de; dmarc=pass (p=none sp=none pct=100) action=none header.from=kania-online.de; dkim=pass (signature was verified) header.d=kania-online.de; arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zzovLVXDP5gvBbDd7IleLiTJ2RikF9/r8lpX7Pd+4Ok=; b=m3AXWjoazO4it6wqEsU6hxrnHy9E/LkORnsc+8JhRXXd4+jrdChQuRgJ9qqrQiSiJc/q5elV8mjyviscJhyU1rLZB0tomnqskpzHgLbhLSqOa+BC9w4n+iDQT62zi9N8UHNgczyxkqctHbe1y0aoZFLK0MyCqSu9XgNY6KRFrIM= |
| Authentication-Results | spf=pass (sender IP is 80.241.57.33) smtp.mailfrom=kania-online.de; dkim=pass (signature was verified) header.d=kania-online.de;dmarc=pass action=none header.from=kania-online.de; |
| Received-SPF | Pass (protection.outlook.com: domain of kania-online.de designates 80.241.57.33 as permitted sender) receiver=protection.outlook.com; client-ip=80.241.57.33; helo=plasma4.jpberlin.de; pr=C |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=kania-online.de; s=MBO0001; t=1741450979; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=zzovLVXDP5gvBbDd7IleLiTJ2RikF9/r8lpX7Pd+4Ok=; b=LDE+wl5arsz8icZYaTlFbQJ+VsM/Nlo788h8QuStr9sQ8zSRvZq8ddYo8dYNTK+cAOf+Nn Vc3LOeY8QFQd11BVqfSe7h3GDcAEeyMJBYrg2B2a1EwaswfTRHyHxtG3ttqjy7RDJcr/F8 ///B8KNqkorFwgkUeok8XiJmFlDB7VIiTgPAxGox7rrb1zJHhsV+ks3NwWKE71SoHYaUky xTD7Uo6kPxblkX/GJTUBNIcfcAwF8Pp3MHY7ozPiOqaTKQagbvgK+k516MB0uPOwTJt3NX r1O9wCPYLULLuFiCHZLVqBnUZNNRlumi1NuSTqiOKPwAnx3HKg8kqGPdSLXnPw== |
| Content-Language | en-US, de-DE |
| In-Reply-To | <202503070110.5271AcT0029382@hedwig.cmf.nrl.navy.mil> |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | DS2PEPF00003447:EE_|MW4PR01MB6113:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | 8a145d9c-e35b-4352-a7cb-08dd5e5d8045 |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; ARA:13230040|376014|9140799003|48200799018|61400799027|13003099007; |
| X-Microsoft-Antispam-Message-Info | Z6LA55Shphay1ZnH3tU4wnVi/A9DDk+KrhajF5RojpgI+UumgUoh29B0YtpLk1bOLo55yFH9B+O/Utwsdd03kzvTX26Tj7MB4UNM1VpiQEtI3cP+qgu7AkVI0AIzE9CqmhKzoP4PwpGgSm+wKNTizHL53fZlbBRE+QPoO1VIO8NFZ7b49Fdy7VnsQLr5esHF9Xyw+rDoQtXb3YZ9YnzmlkKa8LAmXoQ8r7YjVazUiA0fnbLCCL1HYnjvLc5dclUCeAZ5eo7d+1tyoRkLzZJbm0Q2mJSRbJfvmEugUa9uJqOlLmfEGx3i/91i6nt7fSqmOPNqtFX7Oi9Zht5hUoDyi5YUctyjaY+4uqL1b9/PWH/+8U1WNuQnsUeid4lcjYUOgAMmWA2+eqZMczUgB8O2wzlJrZ3XfxZIQCTwIgigVoXkE0l9Dy1ZcsGL0b8c8S2nAsv9HkZXACYpHTE93tDhcbWea56vcxQMvxF8pEjlEEiPf2Wxj/mNoWUntc7djkQ1cWfzd0QnY+Lh4JybbIWmAyBoH7VwmS71l1tAvPcpO4Lcs6ul01lhE9X+HtROWjCjBH7kSGzHBVMDa6lUefwbLLdsga1DK8avUSWJmtrHmC9HEtVsBVUeVzYV6DKO5Nsunmqqq5Gz7+gLxoTkQKX8hZCjQndimdTM8x8JIC0Xb31LALSG8D/vc0nI7Jy3UTeMGGZnevjPuD7SbMsjt6eJvvKX1ljcEIlf1AOeEcfm4AeRk3HV51Pm1kxg53CAt4TRk21cxz9pp8v3POFJAXZLM4o/8VJ0mIaABd1adXx8DuLmqEV81v2gPqWwL3pmYGrzDHjSAB1uSki26zJ+5mdwUCU6zO+fqMF317QsFAxr26F7FJGwClJslkVcd2CgrU9Vdr0hHhjh0xCV2CjwthqoJK9cbhpgEkvogzv9owtxV4IPK4rC+D2+wRadMhfNnkdeB+Kb+YJ80RSjJT+ddfCKlNU054xGEgvWcHpj24z5+YlpZNhtY9GcMiAbhheP7V/XJiPywLf3UJvQBVSecfOB8ZQz/hOWDGem5JgS19r/cepAy0u9gmo5gYIq6WW1qb93hS803LSyc9pbeayIHcXdllloWrCrwJJKrgJ4N3wqU+YvY+g40ZSQbXFc5SPsg4BpgKQsFwMxeXTC4hyid70RRlSn7vnYZwpOALSVwFtTC9flf7+9EUbqfSuL8u7x+VXiLqelsnICYfm7hl7x0rlcaucibjJfSI8tzscv3XHXSm0mV5QuJJOrxwQ8d5bwujFhcs5tYu2BysIdMO+XtS/IKMtwP7v2EQ0yargHlrIXkgHGo7qgLq2sWQ9TVI356i/gTu0qvfNi9E4ObO/8YukQpgqN1oh+ODNPjT1HSMgw6hYfyR/6BJohEdBOOjIuLTuxmX+0A3tkU72oB+gZr4JqNCwSeVqvL7+SK62I7md/vAw= |
| X-Forefront-Antispam-Report | CIP:80.241.57.33; CTRY:DE; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:plasma4.jpberlin.de; PTR:plasma4.jpberlin.de; CAT:NONE; SFS:(13230040)(376014)(9140799003)(48200799018)(61400799027)(13003099007); DIR:OUT; SFP:1102; |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 08 Mar 2025 16:23:03.0527 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | 8a145d9c-e35b-4352-a7cb-08dd5e5d8045 |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | DS2PEPF00003447.namprd04.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | MW4PR01MB6113 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <6893835c-f79b-4e13-bb25-9c872b5e77b1@kania-online.de> |
| X-Mailman-Original-References | <42e99884-8cae-4664-9f29-79cd49c5c5e7@kania-online.de> <CAGMFw4hjK8CHYJWOiQb9+AvHQXZHkA6C_21eRNOwx5y6XTefVg@mail.gmail.com> <CALF+FNwB=07CbW5Do4E+C-C6D8T3bXhUX4PMHbkdnwGT9ewXfw@mail.gmail.com> <202503070110.5271AcT0029382@hedwig.cmf.nrl.navy.mil> |
| Xref | csiph.com comp.protocols.kerberos:5394 |
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
Am 07.03.25 um 02:10 schrieb Ken Hornstein via Kerberos: >> Unfortunately, the Cyrus SASL library used by OpenLDAP has a limitation in >> the GSSAPI mechanism, which is that it supports only a single service >> principal name(*). By default, that's ldap/<hostname>, using the machine's >> configured FQDN. You can configure it to use a different name, such as the >> one belonging to the shared load balancer VIP, but I'm afraid I don't >> recall exactly how offhand (and I'm not in front of a computer). So, you >> can support the server's individual name or the shared name, but not both. > > If you are using MIT Kerberos (anything 1.10 or newer) on the LDAP server, > you can use the krb5.conf configuration entry "ignore_acceptor_hostname" > to allow the server to match on any valid hostname. See details here: > Hi Ken, that did it. Thank you. Now we get the ticket trough the loadbalancer. But OpenLDAP is complaining about the name of the principal is not matching the fqd. WE now will go the way without the load balancer. We will use SRV-records. Stefan > https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#libdefaults > > Should do what you want. > > --Ken > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos --
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: spn alias Stefan Kania <stefan@kania-online.de> - 2025-03-08 17:22 +0100
csiph-web