Should Kerberos cache file remain empty after successful authentication? - kerberos

I'm struggling with connecting to Impala which is part of a kerberised CDH cluster via JDBC driver. For authentication I need to acquire a Kerberos ticket on my machine. kinit works like a charm. The strange is that, when I setup KRB5CCNAME variable pointing to a file the file remains empty after successful authentication, but klist shows that I'm authenticated. Is it the expected behaviour?
The reason I ask this is that, my java app can't connect to Impala and the error message suggest that the empty file could be the problem. However, a python script can connect to the same Impala from the same machine.
It is a Mac 2018.

It shouldn't.
Apple has its own bundled kerberos implementation (Heimdal) which does this strange empty file thing.
I installed krb5 package from brew, modified the PATH accordingly and it works fine.
myself#mymachine:~$ brew info krb5
krb5: stable 1.16.2 (bottled) [keg-only]
Network authentication protocol
https://web.mit.edu/kerberos/
/usr/local/Cellar/krb5/1.16.2 (160 files, 3.7MB)
Poured from bottle on 2018-12-18 at 15:20:46
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/krb5.rb
==> Dependencies
Required: openssl ✔
==> Caveats
krb5 is keg-only, which means it was not symlinked into /usr/local,
because macOS already provides this software and installing another version in
parallel can cause all kinds of trouble.
If you need to have krb5 first in your PATH run:
echo 'export PATH="/usr/local/opt/krb5/bin:$PATH"' >> ~/.bash_profile
echo 'export PATH="/usr/local/opt/krb5/sbin:$PATH"' >> ~/.bash_profile
For compilers to find krb5 you may need to set:
export LDFLAGS="-L/usr/local/opt/krb5/lib"
export CPPFLAGS="-I/usr/local/opt/krb5/include"
For pkg-config to find krb5 you may need to set:
export PKG_CONFIG_PATH="/usr/local/opt/krb5/lib/pkgconfig"
==> Analytics
install: 198 (30 days), 614 (90 days), 1,986 (365 days)
install_on_request: 182 (30 days), 557 (90 days), 1,768 (365 days)
build_error: 0 (30 days)
myself#mymachine:~$ /usr/bin/klist --version
klist (Heimdal 1.5.1apple1)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs#h5l.org
Similar issue will arise on Windows, where Kerberos does not respect whether KRB5CCNAME environment variable is set or not. The solution for this is using older version. This page mentions 4.0.1 version, however on the Kerberos page you can find 4.1. The first will use file cache, the latter will use API and pretty difficult to ask it not to use it.

Related

pg: unknown authentication message response: 10 (Golang) [duplicate]

I'm trying to follow the diesel.rs tutorial using PostgreSQL. When I get to the Diesel setup step, I get an "authentication method 10 not supported" error. How do I resolve it?
You have to upgrade the PostgreSQL client software (in this case, the libpq used by the Rust driver) to a later version that supports the scram-sha-256 authentication method introduced in PostgreSQL v10.
Downgrading password_encryption in PostgreSQL to md5, changing all the passwords and using the md5 authentication method is a possible, but bad alternative. It is more effort, and you get worse security and old, buggy software.
This isn't a Rust-specific question; the issue applies to any application connecting to a Postgres DB that doesn't support the scram-sha-256 authentication method. In my case it was a problem with the Perl application connecting to Postgres.
These steps are based on a post.
You need to have installed the latest Postgres client.
The client bin directory (SRC) is "C:\Program Files\PostgreSQL\13\bin" in this example. The target (TRG) directory is where my application binary is installed: "C:\Strawberry\c\bin". My application failed during an attempt to connect the Postgres DB with error "... authentication method 10 not supported ...".
set SRC=C:\Program Files\PostgreSQL\13\bin
set TRG=C:\Strawberry\c\bin
dir "%SRC%\libpq.dll" # to see the source DLL
dir "%TRG%\libpq__.dll" # to see the target DLL. Will be replaced from SRC
cp "%SRC%\libpq.dll" %TRG%\.
cd %TRG%
pexports libpq.dll > libpq.def
dlltool --dllname libpq.dll --def libpq.def --output-lib ..\lib\libpq.a
move "%TRG%"\libpq__.dll "%TRG%"\libpq__.dll_BUP # rename ORIGINAL name to BUP
move "%TRG%"\libpq.dll "%TRG%"\libpq__.dll # rename new DLL to ORIGINAL
At this point I was able successfully connect to Postgres from my Perl script.
The initial post shown above also suggested to copy other DLLs from source to the target:
libiconv-2.dll
libcrypto-1_1-x64.dll
libssl-1_1-x64.dll
libintl-8.dll
However, I was able to resolve my issue without copying these libraries.
Downgrading to PostgreSQL 12 helped

Oracle TNS Permission Denied *

I'm using:
CentOS 6.7
Zend.1.2.15 using oci8, using instantclient 11.2 x64
PHP 5.4.45
Trying to connect to an Oracle:
Oracle Database 10g Release 10.2.0.4.0
Already checked credentials, already tried to connet to other Oracle server but the error still the same:
12546 ORA-12546: TNS:permission denied *
Already gave 0777 permission to /usr/local/oracle/11.2/client64/ following some answer around but none of them solved.
Server does not have the IP in any sort of blacklist.
The same code runs in any other Windows PC with OracleInstantClient and no further configuration was needed on the server about giving an IP permissions to access or any permission at all.
Is there something more that I can check to solve this?
After hours searching I found this article: http://www.emsperformance.net/2013/12/20/connecting-to-oracle-database-from-php-with-oci8/ which is by far the best article explaining the installation process of LAMP, Oracle, Zend.
The setting I was missing is:
setsebool -P httpd_can_network_connect on
Edit: After a while this answer still looks useful to someone, worths to say that this happens because the machine has SELinux activated, usually in the enforcing mode. I would not recommend to disable SELinux, but setting it to permissive looks to ease the process of identifying some problems with it. You can check SELinux status by sestatus.
A full list of booleans on SELinux is available at: https://wiki.centos.org/TipsAndTricks/SelinuxBooleans
Overall information: https://wiki.centos.org/HowTos/SELinux

Enabling FIPS causes libgcrypt error

I have two CentOS 6.7 machines (server A and B). Same package versions are installed on each system.
Last week I enabled the openSSH FIPS 140-2 module on Server A, and that system works flawlessly (including tsql queries to a SQL Server instance).
Today I went through the same steps on Server B (in the link above). After rebooting, fips showed enabled and tested OK - but tsql (to the same SQL Server instance) stopped working with the following error:
[serverB ~]# tsql -S egServer80 -U myusername
Password:
locale is "en_US.UTF-8"
locale charset is "UTF-8"
using default charset "UTF-8"
Error 20002 (severity 9):
Adaptive Server connection failed
There was a problem connecting to the server
I check the log files and find this:
tsql: Libgcrypt warning: MD5 used - FIPS mode inactivated
Enabling debug in freetds yielded this additional error:
14:56:46.617196 3577 (net.c:1366):'''handshake failed: GnuTLS internal error.
Backing out the FIPS module (removing fips=1 from grub.conf) and rebooting set things back and I was again able to tsql into my SQL Server instance.
Both CentOS machines use the same libgcrypt version (1.4.5).
Why (or how) is enabling FIPS in grub causing libgcrypt to fail on this one machine? Clearly something configuration is off between the machines, but I cannot spot it, and have exhausted resources in finding where to look next.
NOTE #1:
I can reproduce the tsql problem on Server B without enabling FIPS 140-2 in grub, by creating an empty file /etc/gcrypt/fips_enabled. Removing this file sets the system back to normal, and tsql works again.
NOTE #2:
Adding file /etc/gcrypt/fips_enabled on Server A does not affect tsql function at all.
Additional Information
libgcrypt version 1.4.5
freetds version 0.91
openssl version 1.0.1e
CentOS version 6.7

What does the `--fresh` option do in Brew?

While following installation instructions (e.g., for caffe for os x), I run into the --fresh flag for homebrew. For example,
brew install --fresh -vd snappy leveldb gflags glog szip lmdb
However, I see no documentation about what --fresh does, and I don't find it in the source code for homebrew. What does this flag do? (Or what did it used to do?)
I found an old github issue describing the behavior of --fresh.
The flag was meant to ensure packages would be installed without any previously set compile-time options (like --with-python), but it was removed because it didn't do anything:
commit 64744646e9be93dd758ca5cf202c6605accf4deb
Author: Jack Nagel <jacknagel#gmail.com>
Date: Sat Jul 5 19:28:15 2014 -0500
Remove remaining references to "--fresh"
This option was removed in 8cdf4d8ebf439eb9a9ffcaa0e455ced9459e1e41
because it did not do anything.

Another RMySQL Windows 7 install issue

I am trying to install RMySQL on my Windows 7 Professional x64 machine using R-2.15.1, RTools 2.16 (also tried 2.15), and MySQL 5.5.
I have copied libmysql.dll and libmysql.lib into mysql\lib\opt and \bin. I have also copied libmysql.dll into R-2.15.1\bin.
I have set Renviron.site properly as confirmed by Sys.getenv('MYSQL_HOME') using both the 8.3 nomenclature as well as non-8.3 nomenclature.
Sample output for Sys.getenv('MYSQL_HOME') is "C:/Program Files/MySQL/MySQL Server 5.5/" (quotes included). When I use 8.3 nomenclature it also is correct.
Here is the relevant part of my PATH:
c:\Rtools\bin;c:\Rtools\gcc-4.6.3\bin;C:\Program Files\MySQL\MySQL Server 5.5\lib\opt;c:\program file\R\R-2.15.1\bin;
I have manually inserted it into the registry in the right location (because the MySQL 5.5 doesn't do that properly - it only puts it under the Wow6432Node) AND I inserted it into the system variables to deal with this error:
Error in utils::readRegistry("SOFTWARE\MySQL AB", hive = "HLM", maxdepth = 2) :Registry key 'SOFTWARE\MySQL AB' not found
I even tried
Sys.setenv('MYSQL_HOME=C:/Program Files/MySQL/MySQL Server 5.5/')
However, when I try to install RMySQL I get the following error:
checking for $MYSQL_HOME... not found... searching registry...
cygwin warning:
MS-DOS style path detected: C:/PROGRA~1/R/R-215~1.1/bin/x64/Rscript
Preferred POSIX equivalent is: /cygdrive/c/PROGRA~1/R/R-215~1.1/bin/x64/Rscript
CYGWIN environment variable option "nodosfilewarning" turns off this warning.
Consult the user's guide for more details about POSIX paths:
http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
Try setting MYSQL_HOME to one of the following (you may have to use the non-8dot3 file name):
ERROR: configuration failed for package 'RMySQL'
If I am understanding the error properly, it can't find MYSQL_HOME, even though it calls it properly using Sys.getenv, is located in the proper location in the registry, AND is a system variable.
I have a similar issue with my Windows 7 x64 installation.
I think the problem is not related to the MYSQL_HOME, but to the registry.
As you can see here:
https://dev.mysql.com/doc/refman/5.1/en/windows-install-wizard.html
the default location for the registration is not SOFTWARE\MySQL AB but SOFTWARE\Wow6432Node\MYSQL AB.
I believe the answer is here:
http://martin.von-gagern.net/howtos/20110728-rmysql/