I've been using kerberos for about a month now with 0 problems whatsoever. Today I decided to test out the kdestroy command because I had been reading about it for a little. Unfortunately now I can't use kinit to authenticate myself!
When I use the kinit command and type in my password I get this error message
kinit: krb5_get_init_creds: Error from KDC: CLIENT_NOT_FOUND
I'm not sure why? I don't understand. I thought kdestroy just wiped out the ticket that I was currently under. I didn't think it would disallow me from every authenticating again?
kdestroy simply removes a credential or destroys the current ticket file, just as you were guessing.
I made one guess above as to what might be going on (where you need to use the full domain name... use uppercase for the domain portion), and another possible symptom is that your username doesn't exist or it's incorrect. It could also indicate a DNS issue.
Related
Maybe an easy question for someone who knows Powershell and O365 well. Is there a way to configure it so when a command is run for example to pull all access to a shared mailbox, that either a service account is permissioned each time to pull that information or the user who is running the script? I looked at connecting an SA to the script but it would have too much access to 0365 to give it the specific permissions. So the account is not permissioned for the access by default but every time the script/command is ran its permissioned for that inquiry which it shows then it won't have access until the next time its called.
Looking to add this type of function to a script which we only want the helpdesk people to see the information when they run the script and the specific command in the script.
Hopefully explained clear enough :)
Thanks all.
I don't think there is a way to do that natively. You could fiddle something with Azure PIM but that's more for one-off operations than minute action that are done often.
You could however circumvent that by making some sort of web interface that triggers commands on another server using a privileged SA and returns the output through the web interface. You can just make it so that the interface can only request one specific command to be run, and the only thing you have to worry about is sanitizing your parameters well to avoid unwanted injection.
Alternatively, what are you trying to protect against by restricting access so much ? Isn't it something that could be done more easily using a read-only account and some clearly defined policy ? If your helpdesk people overstep their allowed scope, that's a management/HR problem as much as a technical one.
I am having a big problem, quite difficult to find/search.
I have a server in Ubuntu, where inside that server I have installed:
GITLAB (have all proyect)
POSTGRESSQL (Independent gitlab database is used for a personal project)
TOMCAT with APP WEB (Springboot, this use postgres)
This server is still for testing, it is used for specific specific things (I mean, its use and access is limited and controlled)
I am having various problems:
This server is still for testing, it is used for specific specific things (I mean, its use and access is limited and controlled)
Very frequently, almost every day, the user postgres from the postgresql server "erases" the password. Without anyone doing it manually, "it happens exponentially". I notice why the application stops responding, and then I access postgresql and note that the postgres user has no password.
I looked for many places, and I can't find anything. I really don't know where else to look. If someone passed it to you or has information about it, I would be grateful if you could provide it to me.
------More information added----------
I was looking at the postgres logs, before I have no authentication and I see this.
There are times when no one could have been using the springboot server,
--2020-01-17 00:30:21.286
And also the two log that show before that moment. Could it be something that is deleting my password?
Thank you.
PostgreSQL does not randomly delete its own passwords, and I really doubt Tomcat or Gitlab do either. Indeed they shouldn't even have access to the server as the 'postgres' user or any other superuser, and so shouldn't be able to even if they wanted.
It seems like that there is an intruder in your system. After gaining access they create their own user with their own password. Then disabling your normal superuser from logging on is a common way to try to prevent you from regaining control and kicking them out. Do any users exist that you do not recognize?
The bit of the log file you posted clearly shows someone trying to guess your password, starting at 2:58. You aren't logging IP addresses (%h) so it doesn't show where they are coming from. It doesn't show that they succeed, but unless you have log_connections = on, it wouldn't show successes.
I want to use bugzilla as issue tracking support tool. Users should communicate only using E-Mail, while developers work with bugzilla.
So the first step is creating new bugs for mails, but that fails with the following error:
There is no user named 'test#test.com'. Either you mis-typed the name or that user has not yet registered for a Bugzilla account.
Is it possible to work around that?
One approach would be to change the "from" email in the message to some common account that you set up to specifically handle bugs submitted via email.
You would need to do this before you called email_in.pl http://www.bugzilla.org/docs/4.2/en/html/api/email_in.html
If you happen to be using LDAP authentication and your directory contains all of your intended users, you could use the syncLDAP.pl script in bugzilla/contrib to create bugzilla users for everyone in the directory.
There are a few gotchas I'll mention in case it helps anyone else..
You'll need to install the Net::LDAP perl module. I used cpan.
Be sure your BZ_ROOT_DIR is set properly in /contrib/Buzgilla.pm
If you have multiple LDAP servers configured in parameters, the script will choke. I temporarily removed all but one of the servers.
I found that entries with no mail attribute defined also caused the script to choke, so I made the following change:
my #login_name = #{ $value->{Bugzilla->params->{"LDAPmailattribute"}} };
to
my #login_name = #{ $value->{Bugzilla->params->{"LDAPmailattribute"}} } if defined $value->{Bugzilla->params->{"LDAPmailattribute"}};
Run the script with no arguments to see the various usages (eg. readonly, to test without committing changes). Also, as this is a one time sync, you'd need to set up a scheduled task to run it on a suitable interval.
I apologize that this doesn't entirely remove the requirement for user accounts, but at the very least it's a viable solution for anyone that needs LDAP/AD users to be able to email bugzilla to create tickets without manually creating bugzilla accounts.
I'm working on installing vPopMail on CentOS for use with a Qmail / Courier-IMAP mail-server setup. So far, everything is working out well enough. Mail sent to any virtual user I have setup under any virtual domain (assuming MX records are pointed correctly in the domain DNS) I add to vPopMail is routed correctly to the vPopMail ./Maildir/ and is viewable in /home/vpopmail/domains/domain-example.com/user.name/Maildir/new.
The problem I'm having now is telling the pop service to authenticate using vPopMail instead of the ~default~ Qmail / Courier-IMAP authentication method(s).
"You also need to modify your pop server startup line to use the vchkpw program for authentication." (found at http://www.inter7.com/vpopmail/vpopmail.html) is all I can find in any documentation to even give me the clue that that needs to be done.
So, the question:
How do I tell my pop server to authenticate with vPopMail?
Thanks so much in advance! :)
(Feel free to let me know what (if) more info is needed to answer my question..)
Id go ahead and check this out
http://www.inter7.com/vpopmail/install.txt
namely item 12
then go ahead and add those lines to your rc.local file or rc.sysinit
good luck
I have a customer that has an old non-existant application; he had a problem with the company that made the application and they won't disclose his database password. He realized that he signed a contract (back then) where it said that he was sort of "renting" the application and they had no right to disclose anything. This customer found out that he's not the only one with the same problem with that company. He's a Dentist and other dentists with the same old application experienced the same problems when trying to buy a new software and attempted to migrate their patients to the new system.
In either case, he wants to open his little firebird database, so we can at least extract some data to our SQL Servers. I have tried with the default 'masterkey' (which is, in fact, 'masterke' due to the 8 char limit) to no avail.
Now I know he could go legal and try to force the company to release his information, but I want to do it the short way. Does anybody know an app that can brute force/crack a legacy Firebird password?
Thanks.
EDIT: The legacy software is "STOMA-W", I cannot even find it on Internet. They are located in Asturias, Spain.
Firebird does not (yet) store passwords inside the database file.
With this in mind, move the database file to another server where the sysdba password is known.
Old Interbase and Firebird had hardcoded backdoor password you might want to try:
user: politically pass: correct
http://www.theregister.co.uk/2001/01/12/borland_interbase_backdoor_exposed
Provided not for the SYSDBA account, you may reset forgotten passwords for users with FlameRobin. After registering the database server on your localhost, use the Manage users... function in the context menu:
Here you get a list of users with options to delete or view/modify properties. If you click on the properties icon, you enter this dialogue where you simply enter the new password twice:
There is also IBConsole which comes packaged with the InterBase/Firebird SDK. It has similar functions.