directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: Kerby Remote KAdmin
Date Mon, 08 Aug 2016 14:38:27 GMT
The problem we're seeing is that the Kerby server admin accounts aren't configured to be compliant
with the MIT kadmin account.  Kerby allows the user to use a TGT to acquire a service ticket
for kadmin, while MIT doesn't, so the auth methods are misaligned.  I've recreated some C++
libraries I wrote to do this a while back, hopefully I can use them to help trace through
and see where our packets are being malformed.  

Thanks for the response, we'll keep plugging and let you know what we figure out.


"The programmer … works only slightly removed from pure thought-stuff.
He builds his castles in the air, from air, creating by exertion of the imagination."
— Fred Brooks

Shawn Smith
Director of Software Engineering
Administrative Information Services
Penn State University

----- Original Message -----
From: "Zheng, Kai" <>
To: "Apache Directory Developers List" <>,
Sent: Friday, August 5, 2016 5:48:31 PM
Subject: RE: Kerby Remote KAdmin

Hi Shawn,

I don't have a deep dive in that, but I thought what's been going is to get it work first
in kerby remote client -> kerby admin server, in a protocol approach (XDR) aligned with
MIT Kerberos admin. After that effort will be made to get it work with MIT admin using kerby
admin client. Yan Yan is the major contributor but she had left the team so I'm not sure she
will keep the contribution or not. Another contributor Qing from the team is working on a
remote web UI interface at his willing.


-----Original Message-----
Sent: Friday, August 05, 2016 10:14 PM
To: Apache Directory Developers List <>
Subject: Kerby Remote KAdmin


We've been working on getting the protocol working against an MIT Kerb instance.  Based on
byte tracing in wireshark we think we're pretty close, but something is still not lining up
cleanly.  Has anyone else done a deep dive on this that may be able to provide some feedback
on what we're doing?  I'd like to find a good way to share what we're doing, but most of it
is outside of core kerby so I'm not sure where to put it for others to see it.


Any fool can write code that a computer can understand. Good programmers write code that humans
can understand.
--Martin Fowler 

Shawn Smith
Director of Software Engineering
Administrative Information Services

View raw message