kpasswd - Incorrect net address changing password - kerberos

I setup a server on AWS with krb5-kdc.
$ dpkg -l | grep krb5
ii krb5-admin-server 1.12+dfsg-2ubuntu5.3 amd64 MIT Kerberos master server (kadmind)
ii krb5-kdc 1.12+dfsg-2ubuntu5.3 amd64 MIT Kerberos key server (KDC)
ii krb5-user 1.12+dfsg-2ubuntu5.3 amd64 Basic programs to authenticate using MIT Kerberos
I can kadmin.local, kinit. But kpasswd failed
kpasswd: Incorrect net address changing password
How can I fix this?
P.S. after little google I found mail from Russ Allbery
But I am not using Microsoft AD. and clueless now.

I have three difference network area besides one with KDC.
So when I tried to kpasswd on those three area.
two area succeeded and one raises the error.
So I worked around by using other IP address for KDC in that area. (KDC had two IP addresses)

Related

I cannot SSH with Kerberos in VS Code on Windows 10 even though PuTTY works fine

Problem Summary:
I can SSH to remote host using Kerberos and PuTTY on Windows 10, but I can't connect using VS Code.
Steps I have tried:
I used MIT Kerberos Ticket Manage to generate a Kerberos API key.
Then, in PuTTY I selected both “Attempt GSSAPI authentication” and “Allow GSSAPI credential delegation” . After entering the host name and my username, I can successfully connect to the remote host in PuTTY.
However, I cannot connect to the remote host in VS Code using the following SSH config file:
Host my-host
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
User my-name
My error looks like this:
I learned from this Stack Overflow answer that Windows "has two Kerberos libraries (MIT KfW & Windows SSPI)", so my suspicion is that VS Code is not looking for GSSAPI libraries in the correct order, like the PuTTY screen shot. But I don't know how to specify the order like in PuTTY.
Please help! Thanks!

Error 422 after installing gitlab on centos 7

I got into trouble after installing Gitlab on CentOs7. For the first time I was redirected to the admin password creation page and after the password for the admin user, the server sent error.
422
The change you requested was rejected.
I had set the url value based on the site guide.
Set the external_url in /etc/gitlab/gitlab.rb:
external_url "https://example.com/gitlab"
I checked the links below for similar situations. I didn't find the right answer. My server was in the local area and had no internet access.
Error 422 after installing gitlab on Ubuntu 18.04
After Update Error: "422 The change you requested was rejected."
Error 422 after installing Gitlab on Ubuntu 16.04
I made a mistake when installing Gitlab. In the /etc/gitlab/gitlab.rb file I put the local gitlab address with https but due to the local server setup there was no "let's encrypt" service and I did not intend to access the site via ssl. I modified the address in the file and turne "https" to "http". After modifying the following commands, the problem was fixed.
sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart

Alias forwarding: "550 mailbox unavailable", Receiving and sending works fine

Hello Folks!
I am in trouble and hope you can help!
I have been using my VPS (ubuntu 14.04) with exim4/dovecot for years now without problems.
One common use is to receive mail from a gmx.de address (to an alias on my domain) and let it be distributed by the alias setting to some web.de addresses and also to addresses on my domain.
The way it should be is: ORIGIN -> ALIAS#MYDOMAIN -> (DEST1, DEST2,...)
Since yesterday, this "alias forwarding" does not work anymore. This is the typical exim log:
2016-05-25 18:12:59 1b5bQZ-0000KU-Kl <= ORIGIN#gmx.de H=mout.gmx.net [212.227.15.18] P=esmtp S=51309 id=ID#mail.gmx.com
2016-05-25 18:12:59 1b5bQZ-0000KU-Kl ** DEST1#web.de <ALIAS#MYDOMAIN.de> R=dnslookup T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<ORIGIN#gmx.de> SIZE=53021: host mx-ha03.web.de [212.227.15.17]: 550-Requested action not taken: mailbox unavailable 550-Reject due to SPF policy. 550-The originating IP of the message is not permitted by the domain owner.
2016-05-25 18:12:59 1b5bQZ-0000KU-Kl ** DEST2#web.de <ALIAS#MYDOMAIN.de> R=dnslookup T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<ORIGIN#gmx.de> SIZE=53021: host mx-ha03.web.de [212.227.15.17]: 550-Requested action not taken: mailbox unavailable 550-Reject due to SPF policy. 550-The originating IP of the message is not permitted by the domain owner.
2016-05-25 18:12:59 1b5bQZ-0000KU-Kl ** DEST3#web.de <ALIAS#MYDOMAIN.de> R=dnslookup T=remote_smtp: SMTP error from remote mail server after MAIL FROM:<ORIGIN#gmx.de> SIZE=53021: host mx-ha03.web.de [212.227.15.17]: 550-Requested action not taken: mailbox unavailable 550-Reject due to SPF policy. 550-The originating IP of the message is not permitted by the domain owner.
2016-05-25 18:13:00 1b5bQZ-0000Kl-Ud <= <> R=1b5bQZ-0000KU-Kl U=Debian-exim P=local S=53469
2016-05-25 18:13:00 1b5bQZ-0000KU-Kl Completed
The same happens if I test it with a web.de address as ORIGIN, whereas a gmail address or one from MYDOMAIN work just fine as ORIGIN.
Important is that it seems to be only a problem of the aliasing. I can send mails from e.g. web.de to ADDRESS#MYDOMAIN and vice versa.
My MX points to the right spot (obviously, because it used to work for a long time now) and I have checked that my IP and DOMAIN are not in the spamhouse of web.de/gmx.de.
Any suggestions are highly welcome!!
Best, Bb
GMX seems to have switched to strict SPF checking just yesterday (2016-05-25), and this breaks e-mail forwarding.
This is a long-standing problem with SPF, I don't know whether GMX realizes that they are rejecting a huge number of legitimate e-mails by this stupid decision.
As pointed out by Hans-Martin SPF breaks email forwarding as explained here. This is however not at all a stupid decision as it is basically the only thing able to effectively eliminate SPAM.
Fixing this requires that you configure SRS (Sender Rewriting Scheme).
To quote from the postsrsd README:
Imagine your server receives a mail from alice#example.com that is to be forwarded. If example.com uses the Sender Policy Framework to indicate that all legit mails originate from their server, your forwarded mail might be bounced, because you have no permission to send on behalf of example.com. The solution is that you map the address to your own domain, e.g. SRS0+xxxx=yy=example.com=alice#yourdomain.org (forward SRS). If the mail is bounced later and a notification arrives, you can extract the original address from the rewritten one (reverse SRS) and return the notification to the sender. You might notice that the reverse SRS can be abused to turn your server into an open relay. For this reason, xxxx and yy are a cryptographic signature and a time stamp. If the signature does not match, the address is forged and the mail can be discarded.
Setting up postsrsd on Debian 8 (should be very much the same on Ubuntu):
# Dependencies.
sudo apt-get install unzip cmake
# Download and extract source code from GitHub.
cd /tmp
curl -L -o postsrsd.zip https://github.com/roehling/postsrsd/archive/master.zip
unzip postsrsd.zip
# Build and install.
cd postsrsd-master
cmake -DCMAKE_INSTALL_PREFIX=/usr
make
sudo make install
# Start services
sudo systemctl enable postsrsd
sudo service postsrsd start
# Reconfigure Postfix
sudo postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001"
sudo postconf -e "sender_canonical_classes = envelope_sender"
sudo postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002"
sudo postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient"
sudo postfix reload
It seems GMX switched on strict SPF checking recently which cause forwarding mails to fail. You'll see something like this in the mail.log
to=<mailaddress#gmx.de>, orig_to=<mailaddress#mydomain.com>, relay=mx00.emig.gmx.net[212.227.15.9]:25, delay=0.15, delays=0/0.02/0.12/0.01, dsn=5.0.0, status=bounced (host mx00.emig.gmx.net[212.227.15.9] said: 550-Requested action not taken: mailbox unavailable 550-Reject due to SPF policy. 550-The originating IP of the message is not permitted by the domain owner. 550 For explanation visit http://postmaster.gmx.com/en/error-messages?ip=127.0.0.10&c=spf (in reply to MAIL FROM command))
Like L. Gleim pointed out, SRS and installing postsrsd is the solution.
There is a PPA for Ubuntu available as well, so Ubuntu installation can be accomplished by
sudo add-apt-repository ppa:roehling/latest
sudo apt-get update
sudo apt-get install postsrsd
sudo postconf -e "sender_canonical_maps = tcp:127.0.0.1:10001"
sudo postconf -e "sender_canonical_classes = envelope_sender"
sudo postconf -e "recipient_canonical_maps = tcp:127.0.0.1:10002"
sudo postconf -e "recipient_canonical_classes = envelope_recipient,header_recipient"
sudo postfix reload
This made forwarding mails to GMX possible again for me.

Access guest from virsh

I am running Centos 7 x86-64. I installed a guest (again Centos 7) through kickstart as an exercise. I prepared my kickstart file, I validated it and I launched with virt-install.
If something went wrong with the network configuration (During install I got no problem, I created a local repo on Host FTP server as source for the install) how can I connect to the machine?
Only SSH or virsh foresee some other connection method?
How can I find my machine running network configuration from outside?
I am running a barebone Centos7 installation so only command line, no graphical interface at all.
Thanks,
M.
You can ssh to your physical host from another one having graphical interface with X forwarding enabled (ssh -X machinename), and look at the the VM with virt-manager
You will need X running on the machine you're connecting from. For Mac OS it's XQuartz

Resolve hostnames with arch linux on a RaspberryPi

I have a Pi that runs hostapd and dhcpd on arch linux to create it's own land with the Pi's (routers) IP being 10.0.0.1. This uses the wlan0 interface and it only serves as a standalone router running a web server.
Once I connect to the Pi, I use 10.0.0.1 to display the web pages, but I want to use a hostname such as firepi. I have tried using dnsmasq, but I haven't been successful. Any help would be greatly appreciated especially if you can give me some detailed examples as I am a novice.
The purpose of this system is that I have created a web app that you can use to ignite fireworks over WiFi at a safe distance. I would just like the convenience of using a hostname instead of the IP address.
I must add that I will more than likely be using an iPhone to connect to the server, should this affect anything.
Not too sure how or why but this is what I did and it is successfully working now, so this is just for future users who may need a similar setup to mine.
First I installed hostapd and dhcpd and made sure they were working. Next I changed '/etc/hostname' to firepi and the '/etc/hosts' and added '10.0.0.1 firepi'. Then I installed dnsmasq, and set the interface to wlan0, and finally added '10.0.0.1 firepi' to '/etc/resolv.conf'.
After a full reboot, I joined the network on my iPhone, navigated to firepi and sure enough, it worked!
Thanks to the other users for their advice and tips.
You can use avahi on Arch as well to resolve your hostname:
sudo pacman -S avahi nss-mdns
Start the avahi daemon:
sudo systemctl enable avahi-daemon.service
sudo systemctl start avahi-daemon.service
Edit /etc/nsswitch.conf
sudo vim /etc/nsswitch.conf
Change the line:
hosts: files myhostname dns
to
hosts: files myhostname mdns_minimal [NOTFOUND=return] dns
Reboot
Note: don't forget to add .local to your hostname.
See also:
http://blog.pixxis.be/post/77285636682/resolve-hostname-with-arch-linux-on-a-raspberry-pi
If you just want to be able to use "firepi" as hostname to connect to it, you can simply add it to your /etc/hosts file using the syntax "IP host".
To make it as easy as possible, run this command as root:
echo "10.0.0.1 firepi" >> /etc/hosts
That'll do the trick.
Can you try avahi ?
sudo apt-get install avahi-daemon and
sudo apt-get install avahi-browse
I've successfully used that on Raspian. Unless you change the hostname using
sudo raspi-config you will access via raspberrypi.local
Note that if you plan to access the RPi from Windows you will need to install Bonjour Service first(if you have iTunes intalled, you might have those, run services.msc and check if the Bonjour Service is started)
Another note: On a friend's iphone I've installed a generic vnc client and had x11vnc running on the RPi and succesfully managed to connect to the RPi (since avahi-daemon was installed)