We Keep Coding

Is it possibe to have multiple kerberos tickets on same machine?

I have a use case where I need to connect to 2 different DBS using 2 different accounts. And I am using Kerberos for authentication.
Is it possible to create multiple Kerberos tickets on same machine?
kinit account1#DOMAIN.COM (first ticket)
kinit account2#DOMAIN.COM (second ticket)
Whenever I do klist, I only see most recent ticket created. It doesn't show all the tickets.
Next, I have a job that needs to first use ticket for account1 (for connection to DB1) and then use ticket for account2 (for DB2).
Is that possible? How do I tell in DB connection what ticket to use?

I'm assuming MIT Kerberos and linking to those docs.
Try klist -A to show all tickets in the ticket cache. If there is only one try switching your ccache type to DIR as described here:
DIR points to the storage location of the collection of the credential caches in FILE: format. It is most useful when dealing with multiple Kerberos realms and KDCs. For release 1.10 the directory must already exist. In post-1.10 releases the requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See Collections of caches for details. New in release 1.10. The following residual forms are supported:
DIR:dirname
DIR::dirpath/filename - a single cache within the directory
Switching to a ccache of the latter type causes it to become the primary for the directory.
You do this by specifying the default ccache name as DIR:/path/to/cache on one of the ways described here.
The default credential cache name is determined by the following, in descending order of priority:
The KRB5CCNAME environment variable. For example, KRB5CCNAME=DIR:/mydir/.
The default_ccache_name profile variable in [libdefaults].
The hardcoded default, DEFCCNAME.

PTC Integrity to get the latest code from repository

how to get the latest version of code from the MKS repository ??
using MKS commands

To get last version of a project from mks repository, first you should create a sandbox and then you can resync the sandbox with server.
To create a sandbox use the command si createsandbox
si createsandbox --project=%mks_Project% -R -Y %sandboxLocation%
this command will create a sandbox of project from normal line. If you work on devpath then you should add --devpath=%projectDevpath% on the command
To resync a sandbox use the command si resync --sandbox=%sandboxName%. e.g. si resync --sandbox="D:/sandbox/project1/project.pj"
Please be sure you replace all fields between % this the proper value. Depending of your server configuration, the command cand be diferent.
sI createsanbox help
Usage: si createsandbox options... directory; options are:
--lineTerminator=[lf|crlf|native|cr] Line terminator to use in this sandbox
--[no]populate Populate sandbox with members
-R Recurse into subsandboxes creation
--[no|confirm]recurse Recurse into subsandboxes creation
--scope=attribute:name[=value]
memberrevlabellike:<expression>
anyrevlabellike:<expression>
name:<expression>
path:<expression>
type:text|binary
any
--[no]shared Allow sandbox to be shared
--[no]sparse Create sparse sandbox
--[no]openView Activate sandbox view after completing the command
--devpath=value The development path (to refer variant projects)
--[no]failOnAmbiguousProject Whether to abort when multiple projects correspond to a flat project string.
-P value The name of the target project
--project=value The name of the target project
--projectRevision=value The project revision (to refer build projects)
--[no]awaitServer If server does not respond, keep trying
-? Shows the usage for a command
--[no]batch Control batch mode (no user interaction in batch mode)
--cwd=value Act as if command executed in specified directory
-F value Read the selection from a specified file
--forceConfirm=[yes|no] Specify an answer to all confirmation questions
-g User interaction should happen via the GUI
--gui User interaction should happen via the GUI
--hostname=value Hostname of server
-N Responds to all confirmations with "no"
--no Responds to all confirmations with "no"
--password=value Credentials (e.g., password) to login with
--port=value TCP/IP port number of server
--quiet Control status display
--selectionFile=value Read the selection from a specified file
--settingsUI=[gui|default] Control UI for command options
--status=[none|gui|default] Control status display
--usage Shows the usage for a command
--user=value Username to login to server with
-Y Responds to all confirmations with "yes"
--yes Responds to all confirmations with "yes"
si resync help
Usage: si resync options... current or former member/subproject...; options are:
--[no]byCP Operate in change package mode
--[no]confirm In change package mode, proceed without a question
--[no]confirmPopulateSparse Confirm populate of a sparse sandbox
--[no|confirm]downgradeOnLockConflict Whether to downgrade my existing exclusive lock to a non exclusive lock if an exclusive lock already exists on the member revision
--[no]includeDropped Include former members
--[no|confirm]merge Perform merges if required
--mergeType=[confirm|cancel|automatic|manual] Try to automatically perform the merge or launch the conflict resolution tool
--onMergeConflict=[confirm|cancel|mark|launchtool|highlight|error] What to do when conflicts occurred during the merge
--[no|confirm]overwriteIfPending Force overwrite of working files which correspond to pending revisions or pending members.
--[no]populate Populate the sandbox with working files
--[no|un]expand Whether keywords should be expanded in working files
-f Force overwrite of changed working files
--[no|confirm]overwriteChanged Force overwrite of changed working files
--[no|confirm]overwriteDeferred Force overwrite of working files with deferred operations pending
--[no]overwriteUnchanged Force overwrite of unchanged working files
--[no|confirm]removeOutOfScope Force removal of out of scope working files
--[no]restoreTimestamp Set the timestamp on the working file to the revision's timestamp
--filter=attribute:name[=value]
changed[:working|:sync|:newer|:size|:missing|:newmem|:all]
file:<expression>
frozen
label[:name]
locked[:name]
locktype[:exclusive|:nonexclusive|:any]
state[:name]
format[:text|:binary]
workingbranch
anylabel[:name]
deferred[:add|:addfromarchive|:checkin|:drop|:import|:move|:rename|:updaterevision|:all]
unresolvedmerges
memberonbranch
pending[:add|:addfromarchive|:drop|:import|:movememberfrom|:movememberto|:renamefrom|:renameto|:update|:updaterevision|:all]
workinprogress
sparsecontents
rule[:defined|:invalid|:memberrevdiffers]
archiveshared
caseinsensitivefile:<expression>
outofscope
-R Select recursively
--[no|confirm]recurse Select recursively
--[no]failOnAmbiguousProject Whether to abort when multiple projects correspond to a flat project string.
-S value The name of the sandbox
--sandbox=value The name of the sandbox
--[no]awaitServer If server does not respond, keep trying
-? Shows the usage for a command
--[no]batch Control batch mode (no user interaction in batch mode)
--cwd=value Act as if command executed in specified directory
-F value Read the selection from a specified file
--forceConfirm=[yes|no] Specify an answer to all confirmation questions
-g User interaction should happen via the GUI
--gui User interaction should happen via the GUI
--hostname=value Hostname of server
-N Responds to all confirmations with "no"
--no Responds to all confirmations with "no"
--password=value Credentials (e.g., password) to login with
--port=value TCP/IP port number of server
--quiet Control status display
--selectionFile=value Read the selection from a specified file
--settingsUI=[gui|default] Control UI for command options
--status=[none|gui|default] Control status display
--usage Shows the usage for a command
--user=value Username to login to server with
-Y Responds to all confirmations with "yes"
--yes Responds to all confirmations with "yes"

The best way shall be to check-out the head revision with/out lock.

Powershell Add Local Group to Local Group

I'm able to properly add a local user to a local group on my machine, but I can't add a local group to another local group. What is the syntax for this?
$targetGroup = [ADSI]"WinNT://$computerName/$targetGroupName,group"
$targetGroup.Add("WinNT://$computerName/$groupName")
The above results in this error:
Exception calling "Add" with "1" argument(s): "A new member could not be added to a local group because the member has the wrong account type.
I'm trying to add a local group to a local group, in Windows Server 2012.

You can nest domain groups, but local group nesting is not supported. This technet article explains in detail.
http://technet.microsoft.com/en-us/library/ee681621(v=ws.10).aspx
Have you considered listing all the users of the "subgroup" and adding them to the target group? This obviously would not create a permanent linking like a sub group would. But it would ensure each member of the "subgroup" are members of the target group at the time the script is run.

Local groups cannot be added to other local groups. This is a limitation of Windows. It's not that you don't have to right code; it just can't be done.
Reference
A local group cannot be found if it is nested inside another group on a Windows Server-based or Windows-based client

Can I CREATE TRIGGER in an rds DB?

I'm trying to create a trigger on a table in my Amazon RDS database, and I can't seem to make it happen.
I tried to create a trigger on a table in the mysql client I use (Navicat), and got the error that I needed the SUPER privilege to do so. After some searching, I found that you could SET GLOBAL log_bin_trust_function_creators = 1 to get around this. I tried that using these instructions: http://getasysadmin.com/2011/06/amazon-rds-super-privileges/ (and then restarting the DB server for good measure), but no luck.
I also tried creating the trigger and setting the variable via the mysql commmand line to make sure Navicat wasn't adding anything unwanted to my sql commands, but that failed, too. It also seems from searching that there's no way to grant yourself the SUPER privilege.
So ... is creating a trigger possible in RDS?

Its easy!
Open the RDS web console.
Open the “Parameter Groups” tab.
Create a new Parameter Group. On the dialog, select the MySQL family compatible to your MySQL database version, give it a name and confirm.
Select the just created Parameter Group and issue “Edit Parameters”.
Look for the parameter ‘log_bin_trust_function_creators’ and set its value to ’1′.
Save the changes.
Open the “Instances” tab. Expand your MySQL instance and issue the “Instance Action” named “Modify”.
Select the just created Parameter Group and enable “Apply Immediately”.
Click on “Continue” and confirm the changes.
Again, open the “Instances” tab. Expand your MySQL instance and issue the “Instance Action” named “Modify”.
Dont forget: Open the “Instances” tab. Expand your MySQL instance and issue the “Instance Action” named “Reboot”.
Via - http://techtavern.wordpress.com/2013/06/17/mysql-triggers-and-amazon-rds/

No it is actually not impossible it just takes far too much extra work.
First off it seems to be impossible to apply Super Privileges to a default parameter group.
So what I had to do was to create a new DB Parameter group either through the Console, or the CLI.
What I found was, the key is that the default region was not the region I was trying to use so I had to use a --region parameter to apply it to the group in the correct region where I was deploying my DB Instance
rds-create-db-parameter-group --db-parameter-group-name allow-triggers --description 'parameter group to allow triggers' --region your-region
Next I had to create a DB Instance which used that parameter group. (Again through the console or CLI)
rds-create-db-instance
Then I had to modify the Parameter group to allow log_bin_trust_function_creators only accomplishable through the CLI
rds-modify-db-parameter-group --db-parameter-group-name yourgroupname --region yourRegion --parameters 'name=log_bin_trust_function_creators,value=true,method=immediate'
Lastly I had to modify the created DB Instance to allow triggers, also CLI only.
rds-modify-db-instance --db-instance-identifier your-db-instance-id --db-parameter-group-name allow-triggers --apply-immediately

In addition to the parameter group modification that others have already mentioned, there is a further challenge that arises when using a MySQL database dump (via mysqldump) to create triggers in an AWS RDS instance. You may get a message like this:
ERROR 1227 (42000) at line 875: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
This happens because the dump contains "definer" entries with a username that's different than your RDS master username. One solution is to replace the definer username with your RDS master username. Another solution is not to use mysqldump to create your database.
See this blog post for more information:
http://www.percona.com/blog/2014/07/02/using-mysql-triggers-and-views-in-amazon-rds/

EDIT: It turns out Multi-AZ for MySQL uses "physical replication" and not logical replication, so this may not be correct. At least that's what their documentation says: https://aws.amazon.com/rds/details/multi-az/ - I have asked on their forums what this means, but did not get a reply. What's weird is that my RDS Multi-AZ instance claims it's a "master in a replication setup", even though I have no read replicas.
As the question has already been addressed, this is a comment more than an answer:
I'm surprised nobody takes into account why this feature is not available as a default. Amazon wouldn't disable it just to make people's lives harder.
In a master/slave replication it can be dangerous to use stored procedures and triggers that modify data (as in perform queries other than SELECT).
Please have a read below before disabling this restriction in a master/slave setup, which Amazon RDS is when you use Multi-AZ (and you should, for production at least).
http://dev.mysql.com/doc/refman/5.6/en/stored-programs-logging.html

I followed the above but it did not work for me. I spent almost a day to figure out why it is not working and now I know why. I am listing down steps that I followed to make it work.
Created mysql parameters group using aws web console (make sure that it should have same family as the default parameter group. Earlier, I had created a parameter group but it had different family and so it did not work. This is critical step.
Using aws web console change value of log_bin_trust_function_creators to 1
Apply new parameter group. This is another critical step
rds-modify-db-instance –I $AWS_ACCESS_KEY –S $AWS_SECRET_KEY –region $EC2_REGION \ –db-instance-identifier $DB_INSTANCE \
–db-parameter-group-name $DB_GROUPNAME \
–apply-immediately
You need RDSCli from - http://s3.amazonaws.com/rds-downloads/RDSCli.zip
Then verify if parameter group is associated with your db instance
rds-describe-db-instances \
–I $AWS_ACCESS_KEY \
–S $AWS_SECRET_KEY \
–region $EC2_REGION
And then reboot before you try creating trigger
rds-reboot-db-instance \
–I $AWS_ACCESS_KEY \
–S $AWS_SECRET_KEY \
–region $EC2_REGION \
–db-instance-identifier $DB_INSTANCE
Remember to set below environment variable before you try above commands.
export AWS_ACCESS_KEY=’*****’
export AWS_SECRET_KEY=’*****’
export EC2_REGION=’region’
export AWS_RDS_BIN=”$AWS_RDS_HOME/bin”
export PATH=$PATH:$AWS_RDS_BIN
export JAVA_HOME=c:/jdk1.6_25 (in most cases this is already set)
Thanks to http://blog.iprofs.nl/2013/03/20/rds-database-triggers-for-mysql/ for full details.

AWS lays out how to enable functions and triggers in this post
Create a DB parameter group for your MySQL instance:
Sign in to the AWS Management Console and open the Amazon RDS console.
In the navigation pane, choose Parameter Groups.
Choose Create Parameter Group. The Create Parameter Group window appears.
For Parameter Group Family, choose the parameter group family.
For Group Name, type the name of the new DB parameter group.
For Description, type a description for the new DB parameter group.
Choose Create.
Important
After you create a DB parameter group, you should wait at least 5 minutes before creating your first DB instance that uses that DB parameter group.
For more information about creating a DB parameter group, see Working with DB Parameter Groups - Creating a DB Parameter Group.
Modify the newly created parameter group and set the following parameter:
In the navigation pane, choose Parameter Groups. The available DB parameter groups appear in a list.
In the list, select the parameter group you want to modify.
Choose Edit Parameters and set the following parameter to the specified value:
log_bin_trust_function_creators = 1
Choose Save Changes.
Important
After you modify a DB parameter group, you should wait at least 5 minutes before creating your first DB instance that uses that DB parameter group.
For information about modifiying a DB parameter group, see Working with DB Parameter Groups - Modifying Parameters in a DB Parameter Group.
Associate your RDS DB instance with the new or modified DB parameter group:
In the navigation pane, choose Instances.
Select the DB instance you want to associate with a DB parameter group.
On the Instance Actions menu, choose Modify.
In the Modify DB Instance dialog box, under Database Options, choose the parameter group you want to associate with the DB instance. Changing this setting does not result in an outage. The parameter group name changes immediately, but the actual parameter changes are not applied until you reboot the instance without failover.
Apply changes by rebooting the instance.

For me, it worked as the #foxybagga's answer suggest, but I needed to update the generated sql's dump (from mysqlworkbench) to have CURRENT_USER as the DEFINER
ie:
DELIMITER ;;
/*!50003 CREATE*/ /*!50017 DEFINER=CURRENT_USER*/ /*!50003 TRIGGER `sod_db`.`date`
BEFORE INSERT ON `sod_db`.`CashOut`
FOR EACH ROW
BEGIN
SET NEW.created = NOW();
END */;;
DELIMITER ;
/*!50003 SET sql_mode = #saved_sql_mode */ ;
/*!50003 SET character_set_client = #saved_cs_client */ ;
/*!50003 SET character_set_results = #saved_cs_results */ ;
/*!50003 SET collation_connection = #saved_col_connection */ ;
I hope this helps someone is having the same problem.

Object contains only the public half of a key pair

Upon installation of a client side certificate, I am getting the exception "Object contains only the public half of a key pair. A private key must also be provided". My application is a VC#.NET application running over an ASP.NET platform. The application also uses WSE 2.0 to import certificates into making SOAP requests.
Upon research, I've found that this exception is of type System.Security.Cryptography.CryptographicException.
I am pretty positive all my WSE settings are configured correctly, since I was able to find a similar certificate by subject-distinguished-name. Any ideas will be greatly appreciated.

I was recently having the same problem. I found one explanation here that worked for me. Specifically, the permissions for the private key. The full info is copied below.
There are a couple things that I would
look at first:
Do you have a private key for this certificate?
Have you given permission for youf application to access the private
key?
You can establish whether you have a
private key by viewing the certificate
through the Windows Certificate Store.
To get to this, follow these steps:
From the Windows Start menu, select Run.
Type mmc in the Open: field. Click OK
Select "Add/Remove Snap-in" from the File menu.
Click the Add button.
Select "Certificates" from the list of Available Standalone Snap-ins.
Click the Add button.
Select "Computer account." Click Next.
Select "Local Computer". Click Finish.
Click Close.
Click OK.
Expand the Certificates node under the Console Root and open the
Personal store.
Double-click the Certificate you're using. If you have a private
key, the dialog will display a message
at the bottom that says "You have a
private key that corresponds to this
certificate".
If you have a private key, then ensure
that your application has permission
to access the key:
Open Windows Explorer.
Navigate to the C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
folder.
Select the files containing the keys that the WSE will need to
retrieve.
From the File menu, select Properties.
On the Security tab, add the ASPNET account and select th e Full
Control option.
Notes:
1. Determining which key file in the MachineKeys folder is
associated with a certificate can be
difficult. One easy method is to note
the creation date and time when
creating a new certificate. When you
view the files in the MachineKeys
directory, check the Date Modified
field for the corresponding date and
time.
2. If you have configured your system to run under a different
account than ASPNET, use that account
when granting permissions to access
the certificate.

As per my experience it could be failing because of two reasons.
Check if your cert has private key available.
If that is .net application then check if you have given permission to cert to make sure your application has permission to access the cert. In my case adding the "iis_iusrs" and given read permission does work for me.
Thanks.

After encountering the same exception: System.Security.Cryptography.CryptographicException, Object contains only the public half of a key pair, I proofed an alternative, but less optimal solution.
Situation: Certificate / key look up worked great inside of Visual Studio IIS Express, but while the Web Application was running under the proper IIS service, I always received the 'Contains only public half of key pair' exception.
I used the WSE3 CertificateTool to locate the private key section on the filesystem and attempted at length to adjust the user permission settings to give the ASP user permissions as per the above answer.
My eventual fix, which was not pretty, was to create a new IIS Application Pool specific to my Web service code and set the user Identity the pool runs as the Local machine owner of the certificate + private key.
The final location I installed the certificate in was "Local Computer / Trusted People".
Using WSE3 CustomPolicyAssertion, C# .NET:
clientToken = X509TokenProvider.CreateToken(StoreLocation.LocalMachine,
StoreName.TrustedPeople, "soap.partnersite.com", X509FindType.FindBySubjectName);
After updating the App Pool Identity, no private key file overrides were necessary when changing the application pool owner.