I just have a little question about the ktpass command.
I have a user my-test-user with a password myPassword!. I can log in with this account via the username and the password.
But when I use the following command to generate a keytab file, I just can log in with the keytab file (kinit for example).
ktpass /out test.keytab /princ HTTP/test.example.com#MY.REALM /pass * /mapuser my-test-user#MY.REALM /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
If I try to connect with the username/password, the badPwdCount property is incremented.
My question is : is the ktpass command disable password authentication?
Many thanks.
Short answer: no.
The /pass * option means prompt for password. The /mapuser option means to lookup details in AD. If the value passed in via /pass doesn't match what's stored in AD the /mapuser call will set the password in AD to whatever is passed in.
What build of Windows are you running this on? The build of ktpass that shipped in Windows 2012 has a bug in the /pass parameter handling that appends the enter key escape character into the string sent to AD, so it resets it incorrectly. This was fixed in later OSes.
No, but there are a couple possible factors at play here:
One is that, if /mapuser is specified without also specifying -SetUPN, ktpass will change the UPN of the account in question to match whatever SPN was specified with the /Princ parameter in the command (in either case, /mapuser will register the SPN being requested to the specified user, but it only changes the UPN of that account if -SetUPN is absent).
This is apparently so that Linux clients can successfully get a ticket with this keytab (since from a Linux client using kinit, if we try to obtain a Kerberos ticket using an SPN that is registered to an account as an SPN, but that does not match any account's UPN, kinit will tell us the principal does not exist). Windows clients are able to obtain tickets for SPNs that are just registered as SPNs, without requiring that the service account's UPN match the SPN being requested.
So, if we were to try and authenticate using the account's "regular" UPN (the UPN it had prior to running ktpass, e.g. user#domain.com), after generating the keytab without specifying -SetUPN, then authentication would fail because that UPN is no longer valid.
The other issue is that ktpass does seem to "mangle" the password that is entered when using the /Pass * parameter to force it to prompt for password input. ktpass will either set the password to what we specify (if -SetPass is not included) or it will just create the keytab using the password we specify, taking our word that it is correct (but of course the resulting keytab won't work if an invalid password is given).
Based on my testing, if we enter the password in the command itself (e.g. /Pass P#ssw0rd), the keytab will work fine (assuming the password was correct) and password authentication should also work, although only if we either specify the username in DOMAIN\username format or if we included -SetUPN in our ktpass command, due to the UPN issue noted above.
However, the problem comes when we try to use the /Pass * parameter to avoid having to enter the password in plaintext on the command line. In this case, ktpass prompts us for a password, but it apparently modifies whatever value we enter somehow (behind-the-scenes). This will produce two possible results, depending on the options we specified in our command:
Either the resulting keytab file will be invalid and won't work - this happens if we included the -SetPass parameter (which tells ktpass not to change the account's password), because then ktpass generates a keytab with the mangled password even though the "real" password on the account is the value we entered at the prompt.
Or, the resulting password on the account will be set to an unknown value (and not the value we expect it to be) - i.e. the mangled version of the password we entered - this happens if we did not include -SetPass, in which case ktpass changes the password of the account to whatever value it mangles our input into. In this scenario, the keytab will work, but when we try to authenticate with this account using a password we will get an invalid password error (because the password on the account is not the one we think it is - its not the value we entered at the prompt).
I tested and confirmed this behavior on 2008R2, 2012 and 2012R2 - I was not able to test on anything newer.
To summarize - if you need to know the account's password so that you can authenticate with either method (password or keytab) after the keytab is generated, then you need to enter your password in the ktpass command itself instead of asking ktpass to prompt for it (i.e. use /Pass P#ssw0rd rather than /Pass *). Just be sure you do this in a secure setting where there is no possibility of somebody looking over your shoulder or silently monitoring your screen (luckily Windows by default doesn't log cmd history persistently).
On the other hand, if you don't need to know the account's password once the keytab is created, then its probably best to just use +rndPass - this will force ktpass to generate a random password for the account and the keytab will work just fine.
*EDIT/UPDATE: One other quirk I found when testing is that it seems if a new account is created w/ a known password, and ktpass is run to create a keytab for that account, specifying the password in the command as noted above, but with the -SetPass parameter, the resulting keytab will not work. If we run ktpass and specify the password without -SetPass, to let ktpass "reset" the password (to the same value it already was - the value we set when creating the account), the resulting keytab works fine, as does password authentication. And any subsequent keytabs created from that point onward will work (even if created with -SetPass). I do not have an explanation for this behavior (observed on Server 2012 and 2012R2).
Related
I am running an HSQLDB instance in server mode as a systemd service. To shut it down, I issue the following command:
java -cp $CLASSPATH:/usr/share/java/hsqldbutil.jar:/usr/share/java/hsqldb.jar "org.hsqldb.cmdline.SqlTool" --inlineRc=url=jdbc:hsqldb:hsql://localhost/$DB_NAME,user=SA,password=`cat ~/SA.pwd` --sql="SHUTDOWN;"
As one can see in the command, I connect as user SA with a password read from a file (which only that particular user can read), and specify both in the JDBC URL.
This works as long as SA has an empty password and I just supply password= in the command.
However, if SA has a real password and I supply it here, this fails with the error message:
'password' element must have empty value. For non-empty password, give no password element and you will be prompted for the value.
Is there any way to supply the password in a non-interactive way?
It works if you use a sqltool.rc file instead of --inline-rc. Place a file with the following contents in the home folder of the account which will be issuing the stop command:
urlid my-server
url jdbc:hsqldb:hsql://localhost/db_name
username SA
password CorrectHorseBatteryStaple
Then modify the command line as follows:
java -cp $CLASSPATH:/usr/share/java/hsqldbutil.jar:/usr/share/java/hsqldb.jar "org.hsqldb.cmdline.SqlTool" --sql="SHUTDOWN;" my-server
Where:
my-server is an arbitrary identifier that you define in sqltool.rc and quote in the command line invocation of SqlTool
db_name is the database name assigned at startup
CorrectHorseBatteryStaple is the SA password (as currently stored in ~/SA.pwd).
Change these as appropriate for your system. As sqltool.rc contains credentials, be sure to lock down its permissions as you would for ~/SA.pwd.
I have created one openLDAP server and one client. Now the requirement is to only allow members of some specific LDAP group to do SSH on this client.
Client machine
i can see the LDAP group using 'getent group'
this is my /etc/pam.d/sshd file
%PAM-1.0
account required pam_access.so
auth required pam_listfile.so onerr=fail item=group sense=allow
file=/etc/openldap/sshgroups
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
the content of file /etc/openldap/sshgroups:
root
centos
ldap-test-group
but all the LDAP users are able to login to the client machine.
what is wrong here?
Since the accepted answer didn't provide any specific information, I'll provide an example that I was able to come up with. This assumes that you assign users to a unix group "mygroup" which is what controls whether they should log in or not.
In /etc/pam.d/sshd, in an early account line (in my example, the second--after pam_nologin.so), include the following line:
account required pam_access.so
Then in /etc/security/access.conf you can put some lines like:
+:root:ALL
+:localuser:ALL
+:mygroup:ALL
-:ALL:ALL
Which lets users root and "localuser" and anyone in group "mygroup" log in via ssh, but no-one else. Make sure there isn't a user named "mygroup" or your mileage may vary (there are ways to work around the problem). Pro tip: make sure you always leave a way to log in and become root that doesn't depend on LDAP, and test all of this prior adding the -:ALL:ALL rule and don't leave your root shell until you have proved that everything is working the way you want. You do not need to reboot or otherwise reload any configuration files to activate the new configuration. Any new ssh attempt will use the new access policy.
Also note, /etc/security/access.conf might restrict logins other than ssh--sometimes it is used to restrict the (console) login and/or other places where pam_access.so might be referenced--so double check all access mechanisms prior to declaring victory. The last argument in each line controls where the user(s) referenced can come from.
After a lot of hit and trial methods, I was able to get it using pam_access.so and access.conf.
I have found the answer of this issue;
the answer is to right click on the service / properties and logon tab then you should change the password;
but when I change the password and click apply my password does not work and it changes automatically to old one;
what you think I can do now?
This is the wrong forum to ask this question, but your issue is either you're putting in the wrong password for the service account.
OR
The user account you are using with the service does not have correct SQL permissions.
You should read up on SQL Permissions:
https://msdn.microsoft.com/en-us/library/bb669084(v=vs.110).aspx
https://msdn.microsoft.com/en-us/library/bb669065(v=vs.110).aspx
If you tried to update the password the SQL service uses via Windows Services, try instead via SQL Server Configuration Manager. Doing it via Windows Services will not work correctly.
And if you are not 100% sure you are typing the correct password, you may need to update the logon account's password first.
I configured Openldap2.4 on RHEL6.5.
i applied default password policy on my ldap tree.
But, Account lock has been effectively applying only when i do su - username with wrong password .
But when i tried to check with login with putty session or direct ssh it is not applying.
Can any one please help me on the above issue ?.
when i tried using sudo su - testuser2.4
pwdFailureTime: 20150427095439Z
pwdFailureTime: 20150427095445Z
pwdFailureTime: 20150427095451Z
pwdAccountLockedTime: 20150427095451Z
But when i tried direct ssh or putty session with 3 failures still the
policy not applied.
You have to avoid using the managerDN user. That's for use by OpenLDAP itself, and it bypasses all overlays, specifically this one. The overlay will work if you're logging in as a user within the DIT.
I am using ldap for user authentication as mentioned in this link.
http://www-archive.mozilla.org/directory/csdk-docs/writing.htm
Here I am getting "Operations error" while ldap_search_ext_s call. Can anyone tell me what changes I need to do in order to get the user information from Active Directory.
Note : I don't want to enter the dc name and password while binding. Since machines will be running under normal users account (domain users) which do not have admin credentials in domain.Please let me know how to do binding in this case also.
My machine details :
Mac Lion, 64 Bit.
I am trying to connect to Windows Active Directory.
Thanks,
Tausif.
You need to bind with a valid username and password when connecting to a Windows Active Directory server in most cases.
When you're performing your ldap_simple_bind_s(), the two NULL parameters need to be replaced - the first with the DN of the user that is performing the bind, the second with the password for that DN.
There's more link detail in this answer