1. Forum
  2. USENET
  3. comp.protocols.kerberos

  • spn alias

    From Stefan Kania@stefan@kania-online.de to kerberos on Thu Mar 6 17:42:46 2025
    From Newsgroup: comp.protocols.kerberos

    This is a cryptographically signed message in MIME format.

    --------------ms050502030302030007070603
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    aGkgdG8gYWxsLA0KaXMgaXQgcG9zc2libGUgdG8gc2V0IGFuIGFsYWlzIGZvciB0aGUgc3Bu PyBXZSBzdGlsbCBoYXZpbmcgdGhlIHByb2JsZW0gDQpkb2luZyAga2VyYmVyb3MgYXV0aGVu dGljYXRpb24gdGhyb3VnaCBhIGxvYWRiYWxhbmNlci4gV2UgY3JlYXRlZCBhIA0KcHJpbmNp cGFsIGZvciB0aGUgbG9hZGJhbGFuY2VyIGFuZCBhIGtleXRhYi4gV2UgdGhlbiBhZGRlZCB0 aGUga2V5IHRvIA0KdGhlIGxkYXAta2V5dGFiIGZpbGUsIHNvIHdlIGFyZSBoYXZpbmcgYm90 aCwgdGhlIGxkYXAga2V5IGZvciB0aGUgc2VydmVyIA0KYW5kIHRoZSBsZGFwIGtleSBmb3Ig dGhlIGxvYWRiYWxhbmNlciBpbiBvbmUgZmlsZS4gVGhpcyBmaWxlIHdlIHVzZSBhcyANCmtl eXRhYiBmb3IgdGhlIGxkYXAtc2VydmVyLiB0aGUgY2xpZW50IGNvbm5ldHMgdG8gdGhlIGxv YWRiYWxhbmNlciAod2l0aCANCmxkYXBzZWFyY2gpIGFuZCB3ZSBhcmUgZ2V0dGluZyAiZXJy PTQ5IiBhbmQgdGhlIGxvZyBpcyBzaG93aW5nIHRoYXQgdGhlIA0Kc3BuIGlzIHdyb25nLiBT byB3ZSB0aGluayB3aXRoIGFuIGFsaWFzIGZvciB0aGUgc3BuIGZvciB0aGUgbG9hZGJhbGFu Y2VyIA0KaXQgbWlnaHQgd29yay4gT3IgaXMgdGhlcmUgYW55IG90aGVyIHdheSB0byBnZXQg dGhlIA0Ka2VyYmVyb3MtYXV0aGVudGljYXRpb24gdGhyb3VnaCB0aGUgbG9hZGJhbGFuY2Vy Pw0KDQpTdGVmYW4NCg0KDQoNCg==

    --------------ms050502030302030007070603
    Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="smime.p7s"
    Content-Description: Kryptografische S/MIME-Signatur

    MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DLMwggYDMIID66ADAgECAgwEaYxY0V6t5+cpnHAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExKDAmBgNVBAMTH0dsb2JhbFNpZ24g R0NDIFI2IFNNSU1FIENBIDIwMjMwHhcNMjQwOTI3MjAwMTE2WhcNMjcwOTI4MjAwMTE2WjBI MR8wHQYDVQQDDBZzdGVmYW5Aa2FuaWEtb25saW5lLmRlMSUwIwYJKoZIhvcNAQkBFhZzdGVm YW5Aa2FuaWEtb25saW5lLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk1Wp pY9PMd6TNd+nUvWJ3RkA7fXwaZYBPlz+HyIh43KCUohVW0dweP44qfMBHjlVrAsgC6+VI+bd EWjvF9ZcWLHIj/IxonVe1HnN1DfYwp7/1qigJBjmfNwcdqlHHgRJ/WW8TblYLshwB94c+b5L J6ScRf4KCLYgTjmX/+/OpV9Zfzn0NvGNfyakUpeEz/36Mr1UPtWVchsGpuCsoGbylE0AOZug z2yOoLxAmd5YYLVI0uZ3IM1iGZPVcN0P9r9F1Gap4Vm9mi6+chx+ScAu/WfdzaBVlFoXA7w6 X/QxpQXtnifpKxqE5qqrPqCCo9sXLLgD3yW1iFcBVTgzNyZQRwIDAQABo4IB4TCCAd0wDgYD VR0PAQH/BAQDAgWgMIGTBggrBgEFBQcBAQSBhjCBgzBGBggrBgEFBQcwAoY6aHR0cDovL3Nl Y3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNnNtaW1lY2EyMDIzLmNydDA5Bggr BgEFBQcwAYYtaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNnNtaW1lY2EyMDIz MGUGA1UdIAReMFwwCQYHZ4EMAQUBATALBgkrBgEEAaAyASgwQgYKKwYBBAGgMgoDAzA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJBgNV HRMEAjAAMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nn Y2NyNnNtaW1lY2EyMDIzLmNybDAhBgNVHREEGjAYgRZzdGVmYW5Aa2FuaWEtb25saW5lLmRl MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBQAKTaeXHq6D68t UC3boCOFGLCgkjAdBgNVHQ4EFgQU0kHF9fFBXygVDjwNe5DkaSxVk3cwDQYJKoZIhvcNAQEL BQADggIBAL0WoW7dCmTQxxo1dMGyld5LLS9wCa7goc07GplzOsEJ5GmfeNGapy+dP2NfmenH XYKPnP/8hosTk6GDgck1HaP4wP5RvZ4ALVraLs4XSQiENz9954Sim3YzjFbG2aoqXpv/C0ha MwzR7LBCa/OwUJot5wO7R++6SE98/ZeYUqGDIgVcmH+UOYE/5yxM+M4aDXFUR2LCQO2ejPcZ a3QzlnMJUYPPw3U4Udbs9MRy40FunbmWUzu4yEddlo9GikG5NEI6wC7hFEpC4joYmvEZXRlT UqS8wug7QKRLyeLhXw04h0GYL0mrx1yj7x4CXqRjjRpterRlAkgFj2zEEpQ4DMiVcl8fZZ7T xkQGlbfa+HEp9y9/NluiNeoqAMF/lzS8haLHDXLdrdWPitBQazmcsyQ3LlcmeAMjchOIcUWt EKxIRCoedt6xbuIX5D2ul0H6rPE2BrimedwF6AZFPFk3/KHAbjhfkAElHiNjgg4uwUji+d9q zIR6Di3W2WdTCCwzp/6V2eEWdlQ8z8U4v3aF80fwzp6dOuFmti/mOayUrAYCUC6DBLjkA4EY MS6Nc1dr4f4dffnOceF4deCDN3nH8bRPEXs+kvnA91vw008dvJ+Df7jcJmDrt2tmzZPDTV6l neB5rj7E+6Qcvadj6c5hl7L5Tc/v6LZx6DCVX0BA2KpPMIIGqDCCBJCgAwIBAgIQfofDCS7X Zu8vIeKo0KeY9DANBgkqhkiG9w0BAQwFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3Qg Q0EgLSBSNjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0y MzA0MTkwMzUzNTNaFw0yOTA0MTkwMDAwMDBaMFIxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBH bG9iYWxTaWduIG52LXNhMSgwJgYDVQQDEx9HbG9iYWxTaWduIEdDQyBSNiBTTUlNRSBDQSAy MDIzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwjAEbSkPcSyn26Zn9VtoE/xB vzYmNW29bW1pJZ7jrzKwPJm/GakCvy0IIgObMsx9bpFaq30X1kEJZnLUzuE1/hlchatYqyOR VBeHlv5V0QRSXY4faR0dCkIhXhoGknZ2O0bUJithcN1IsEADNizZ1AJIaWsWbQ4tYEYjytEd vfkxz1WtX3SjtecZR+9wLJLt6HNa4sC//QKdjyfr/NhDCzYrdIzAssoXFnp4t+HcMyQTrj0r pD8KkPj96sy9axzegLbzte7wgTHbWBeJGp0sKg7BAu+G0Rk6teO1yPd75arbCvfY/NaRRQHk 6tmG71gpLdB1ZhP9IcNYyeTKXIgfMh2tVK9DnXGaksYCyi6WisJa1Oa+poUroX2ESXO6o03l VxiA1xyfG8lUzpUNZonGVrUjhG5+MdY16/6b0uKejZCLbgu6HLPvIyqdTb9XqF4XWWKu+OMD s/rWyQ64v3mvSa0te5Q5tchm4m9K0Pe9LlIKBk/gsgfaOHJDp4hYx4wocDr8DeCZe5d5wCFk xoGc1ckM8ZoMgpUc4pgkQE5ShxYMmKbPvNRPa5YFzbFtcFn5RMr1Mju8gt8J0c+dxYco2hi7 dEW391KKxGhv7MJBcc+0x3FFTnmhU+5t6+CnkKMlrmzyaoeVryRTvOiH4FnTNHtVKUYDsCM0 CLDdMNgoxgkCAwEAAaOCAX4wggF6MA4GA1UdDwEB/wQEAwIBhjBMBgNVHSUERTBDBggrBgEF BQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIGCisGAQQBgjcKAwwGCisGAQQBgjcKAwQGCSsG AQQBgjcVBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQAKTaeXHq6D68tUC3boCOF GLCgkjAfBgNVHSMEGDAWgBSubAWjkxPioufi1xzWx/B/yGdToDB7BggrBgEFBQcBAQRvMG0w LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjYwOwYIKwYB BQUHMAKGL2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjYuY3J0 MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yNi5j cmwwEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBDAUAA4ICAQCRkUdr1aIDRmkNI5jx 5ggapGUThq0KcM2dzpMu314mJne8yKVXwzfKBtqbBjbUNMODnBkhvZcnbHUStur2/nt1tP3e e8KyNhYxzv4DkI0NbV93JChXipfsan7YjdfEk5vI2Fq+wpbGALyyWBgfy79YIgbYWATB158t vEh5UO8kpGpjY95xv+070X3FYuGyeZyIvao26mN872FuxRxYhNLwGHIy38N9ASa1Q3BTNKSr HrZngadofHglG5W3TMFR11JOEOAUHhUgpbVVvgCYgGA6dSX0y5z7k3rXVyjFOs7KBSXrdJPK adpl4vqYphH7+P40nzBRcxJHrv5FeXlTrb+drjyXNjZSCmzfkOuCqPspBuJ7vab0/9oeNERg nz6SLCjLKcDXbMbKcRXgNhFBlzN4OUBqieSBXk80w2Nzx12KvNj758WavxOsXIbX0Zxwo1h3 uw75AI2v8qwFWXNclO8qW2VXoq6kihWpeiuvDmFfSAwRLxwwIjgUuzG9SaQ+pOomuaC7QTKW MI0hL0b4mEPq9GsPPQq1UmwkcYFJ/Z4I93DZuKcXmKMmuANTS6wxwIEw8Q5MQ6y9fbJxGEOg OgYL4QIqNULb5CYPnt2LeiIiEnh8Uuh8tawqSjnR0h7Bv5q4mgo3L1Z9QQuexUntWD96t4o0 q1jXWLyrpgP7ZcnuCzGCBD0wggQ5AgEBMGIwUjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEds b2JhbFNpZ24gbnYtc2ExKDAmBgNVBAMTH0dsb2JhbFNpZ24gR0NDIFI2IFNNSU1FIENBIDIw MjMCDARpjFjRXq3n5ymccDANBglghkgBZQMEAgEFAKCCAqwwGAYJKoZIhvcNAQkDMQsGCSqG SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjUwMzA2MTY0MjQ2WjAvBgkqhkiG9w0BCQQxIgQg thMOD+GXtiBJYothiJxYEtdfBHhRu35txwyeEn07j+gwcQYJKwYBBAGCNxAEMWQwYjBSMQsw CQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYGA1UEAxMfR2xvYmFs U2lnbiBHQ0MgUjYgU01JTUUgQ0EgMjAyMwIMBGmMWNFerefnKZxwMHMGCyqGSIb3DQEJEAIL MWSgYjBSMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYGA1UE AxMfR2xvYmFsU2lnbiBHQ0MgUjYgU01JTUUgQ0EgMjAyMwIMBGmMWNFerefnKZxwMIIBVwYJ KoZIhvcNAQkPMYIBSDCCAUQwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzANBggqhkiG9w0DAgIBBTANBggqhkiG9w0DAgIBBTAHBgUrDgMCBzANBggqhkiG9w0DAgIB BTAHBgUrDgMCGjALBglghkgBZQMEAgEwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCAzALBglg hkgBZQMEAgQwCwYJYIZIAWUDBAIHMAsGCWCGSAFlAwQCCDALBglghkgBZQMEAgkwCwYJYIZI AWUDBAIKMAsGCSqGSIb3DQEBATALBgkrgQUQhkg/AAIwCAYGK4EEAQsAMAgGBiuBBAELATAI BgYrgQQBCwIwCAYGK4EEAQsDMAsGCSuBBRCGSD8AAzAIBgYrgQQBDgAwCAYGK4EEAQ4BMAgG BiuBBAEOAjAIBgYrgQQBDgMwDQYJKoZIhvcNAQEBBQAEggEAjaqNLy5PpN7sJhAPJ9lF2KLy KumGbyAH+FRj7fDg+EY1FyCeWRkJTQtulA+g3DN1oHrUSF6ojdW3NHB3N8PcDMAJsoGZ0GA5 Mnk8Win7TB6P176CNGZf5NATaAfg3V8AZ/6w4XOcPIpyqSlYDsvp0mdARr7jqsWiO6dLbneQ 1tZpYBc6K3F/lIRNeKANKPmJSV2O0Lo12MF4YiVnFiaz8vk5zufZyyY0/mTBomqX6EUAWh7X A7LiD2VTBd41WtPJ97xMP1MtMrZXL3zW9UmuB/ugK9eeIDSQ1jxab49pe31BxK6PnpUcxHKg jbJqe1HP6k03pOQMIj0UZ9R/FlFXMAAAAAAAAA== --------------ms050502030302030007070603--
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Jeffrey Hutzelman@jhutz@cmu.edu to Stefan Kania on Thu Mar 6 11:57:49 2025
    From Newsgroup: comp.protocols.kerberos

    What LDAP server software are you using?
    On Thu, Mar 6, 2025 at 11:44rC>AM Stefan Kania <stefan@kania-online.de> wrote:
    hi to all,
    is it possible to set an alais for the spn? We still having the problem
    doing kerberos authentication through a loadbalancer. We created a
    principal for the loadbalancer and a keytab. We then added the key to
    the ldap-keytab file, so we are having both, the ldap key for the server
    and the ldap key for the loadbalancer in one file. This file we use as
    keytab for the ldap-server. the client connets to the loadbalancer (with ldapsearch) and we are getting "err=49" and the log is showing that the
    spn is wrong. So we think with an alias for the spn for the loadbalancer
    it might work. Or is there any other way to get the
    kerberos-authentication through the loadbalancer?

    Stefan



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Stefan Kania@stefan@kania-online.de to Jeffrey Hutzelman on Thu Mar 6 18:13:04 2025
    From Newsgroup: comp.protocols.kerberos

    This is a cryptographically signed message in MIME format.

    --------------ms010706030504090605020902
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    V2UgYXJlIHVzaW5nIG9wZW5sZGFwIDIuNiB0b2dldGhlciB3aXRoIG10aS1rZXJiZXJvcyB2 ZXJzaW9uIDEuMTggb24gDQpkZWJpYW4gMTIuDQoNCkFtIDA2LjAzLjI1IHVtIDE3OjU3IHNj aHJpZWIgSmVmZnJleSBIdXR6ZWxtYW46DQo+IFdoYXQgTERBUCBzZXJ2ZXIgc29mdHdhcmUg YXJlIHlvdSB1c2luZz8NCj4gDQo+IE9uIFRodSwgTWFyIDYsIDIwMjUgYXQgMTE6NDTigK9B TSBTdGVmYW4gS2FuaWEgPHN0ZWZhbkBrYW5pYS1vbmxpbmUuZGUgDQo+IDxtYWlsdG86c3Rl ZmFuQGthbmlhLW9ubGluZS5kZT4+IHdyb3RlOg0KPiANCj4gICAgIGhpIHRvIGFsbCwNCj4g ICAgIGlzIGl0IHBvc3NpYmxlIHRvIHNldCBhbiBhbGFpcyBmb3IgdGhlIHNwbj8gV2Ugc3Rp bGwgaGF2aW5nIHRoZSBwcm9ibGVtDQo+ICAgICBkb2luZ8KgIGtlcmJlcm9zIGF1dGhlbnRp Y2F0aW9uIHRocm91Z2ggYSBsb2FkYmFsYW5jZXIuIFdlIGNyZWF0ZWQgYQ0KPiAgICAgcHJp bmNpcGFsIGZvciB0aGUgbG9hZGJhbGFuY2VyIGFuZCBhIGtleXRhYi4gV2UgdGhlbiBhZGRl ZCB0aGUga2V5IHRvDQo+ICAgICB0aGUgbGRhcC1rZXl0YWIgZmlsZSwgc28gd2UgYXJlIGhh dmluZyBib3RoLCB0aGUgbGRhcCBrZXkgZm9yIHRoZQ0KPiAgICAgc2VydmVyDQo+ICAgICBh bmQgdGhlIGxkYXAga2V5IGZvciB0aGUgbG9hZGJhbGFuY2VyIGluIG9uZSBmaWxlLiBUaGlz IGZpbGUgd2UgdXNlIGFzDQo+ICAgICBrZXl0YWIgZm9yIHRoZSBsZGFwLXNlcnZlci4gdGhl IGNsaWVudCBjb25uZXRzIHRvIHRoZSBsb2FkYmFsYW5jZXINCj4gICAgICh3aXRoDQo+ICAg ICBsZGFwc2VhcmNoKSBhbmQgd2UgYXJlIGdldHRpbmcgImVycj00OSIgYW5kIHRoZSBsb2cg aXMgc2hvd2luZyB0aGF0IHRoZQ0KPiAgICAgc3BuIGlzIHdyb25nLiBTbyB3ZSB0aGluayB3 aXRoIGFuIGFsaWFzIGZvciB0aGUgc3BuIGZvciB0aGUNCj4gICAgIGxvYWRiYWxhbmNlcg0K PiAgICAgaXQgbWlnaHQgd29yay4gT3IgaXMgdGhlcmUgYW55IG90aGVyIHdheSB0byBnZXQg dGhlDQo+ICAgICBrZXJiZXJvcy1hdXRoZW50aWNhdGlvbiB0aHJvdWdoIHRoZSBsb2FkYmFs YW5jZXI/DQo+IA0KPiAgICAgU3RlZmFuDQo+IA0KPiANCj4gDQo+ICAgICBfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gICAgIEtlcmJlcm9z IG1haWxpbmcgbGlzdCBLZXJiZXJvc0BtaXQuZWR1IDxtYWlsdG86S2VyYmVyb3NAbWl0LmVk dT4NCj4gICAgIGh0dHBzOi8vbWFpbG1hbi5taXQuZWR1L21haWxtYW4vbGlzdGluZm8va2Vy YmVyb3MgPGh0dHBzOi8vDQo+ICAgICBtYWlsbWFuLm1pdC5lZHUvbWFpbG1hbi9saXN0aW5m by9rZXJiZXJvcz4NCj4gDQoNCg0KDQo=

    --------------ms010706030504090605020902
    Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="smime.p7s"
    Content-Description: Kryptografische S/MIME-Signatur

    MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DLMwggYDMIID66ADAgECAgwEaYxY0V6t5+cpnHAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExKDAmBgNVBAMTH0dsb2JhbFNpZ24g R0NDIFI2IFNNSU1FIENBIDIwMjMwHhcNMjQwOTI3MjAwMTE2WhcNMjcwOTI4MjAwMTE2WjBI MR8wHQYDVQQDDBZzdGVmYW5Aa2FuaWEtb25saW5lLmRlMSUwIwYJKoZIhvcNAQkBFhZzdGVm YW5Aa2FuaWEtb25saW5lLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk1Wp pY9PMd6TNd+nUvWJ3RkA7fXwaZYBPlz+HyIh43KCUohVW0dweP44qfMBHjlVrAsgC6+VI+bd EWjvF9ZcWLHIj/IxonVe1HnN1DfYwp7/1qigJBjmfNwcdqlHHgRJ/WW8TblYLshwB94c+b5L J6ScRf4KCLYgTjmX/+/OpV9Zfzn0NvGNfyakUpeEz/36Mr1UPtWVchsGpuCsoGbylE0AOZug z2yOoLxAmd5YYLVI0uZ3IM1iGZPVcN0P9r9F1Gap4Vm9mi6+chx+ScAu/WfdzaBVlFoXA7w6 X/QxpQXtnifpKxqE5qqrPqCCo9sXLLgD3yW1iFcBVTgzNyZQRwIDAQABo4IB4TCCAd0wDgYD VR0PAQH/BAQDAgWgMIGTBggrBgEFBQcBAQSBhjCBgzBGBggrBgEFBQcwAoY6aHR0cDovL3Nl Y3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNnNtaW1lY2EyMDIzLmNydDA5Bggr BgEFBQcwAYYtaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNnNtaW1lY2EyMDIz MGUGA1UdIAReMFwwCQYHZ4EMAQUBATALBgkrBgEEAaAyASgwQgYKKwYBBAGgMgoDAzA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJBgNV HRMEAjAAMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nn Y2NyNnNtaW1lY2EyMDIzLmNybDAhBgNVHREEGjAYgRZzdGVmYW5Aa2FuaWEtb25saW5lLmRl MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBQAKTaeXHq6D68t UC3boCOFGLCgkjAdBgNVHQ4EFgQU0kHF9fFBXygVDjwNe5DkaSxVk3cwDQYJKoZIhvcNAQEL BQADggIBAL0WoW7dCmTQxxo1dMGyld5LLS9wCa7goc07GplzOsEJ5GmfeNGapy+dP2NfmenH XYKPnP/8hosTk6GDgck1HaP4wP5RvZ4ALVraLs4XSQiENz9954Sim3YzjFbG2aoqXpv/C0ha MwzR7LBCa/OwUJot5wO7R++6SE98/ZeYUqGDIgVcmH+UOYE/5yxM+M4aDXFUR2LCQO2ejPcZ a3QzlnMJUYPPw3U4Udbs9MRy40FunbmWUzu4yEddlo9GikG5NEI6wC7hFEpC4joYmvEZXRlT UqS8wug7QKRLyeLhXw04h0GYL0mrx1yj7x4CXqRjjRpterRlAkgFj2zEEpQ4DMiVcl8fZZ7T xkQGlbfa+HEp9y9/NluiNeoqAMF/lzS8haLHDXLdrdWPitBQazmcsyQ3LlcmeAMjchOIcUWt EKxIRCoedt6xbuIX5D2ul0H6rPE2BrimedwF6AZFPFk3/KHAbjhfkAElHiNjgg4uwUji+d9q zIR6Di3W2WdTCCwzp/6V2eEWdlQ8z8U4v3aF80fwzp6dOuFmti/mOayUrAYCUC6DBLjkA4EY MS6Nc1dr4f4dffnOceF4deCDN3nH8bRPEXs+kvnA91vw008dvJ+Df7jcJmDrt2tmzZPDTV6l neB5rj7E+6Qcvadj6c5hl7L5Tc/v6LZx6DCVX0BA2KpPMIIGqDCCBJCgAwIBAgIQfofDCS7X Zu8vIeKo0KeY9DANBgkqhkiG9w0BAQwFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3Qg Q0EgLSBSNjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0y MzA0MTkwMzUzNTNaFw0yOTA0MTkwMDAwMDBaMFIxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBH bG9iYWxTaWduIG52LXNhMSgwJgYDVQQDEx9HbG9iYWxTaWduIEdDQyBSNiBTTUlNRSBDQSAy MDIzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwjAEbSkPcSyn26Zn9VtoE/xB vzYmNW29bW1pJZ7jrzKwPJm/GakCvy0IIgObMsx9bpFaq30X1kEJZnLUzuE1/hlchatYqyOR VBeHlv5V0QRSXY4faR0dCkIhXhoGknZ2O0bUJithcN1IsEADNizZ1AJIaWsWbQ4tYEYjytEd vfkxz1WtX3SjtecZR+9wLJLt6HNa4sC//QKdjyfr/NhDCzYrdIzAssoXFnp4t+HcMyQTrj0r pD8KkPj96sy9axzegLbzte7wgTHbWBeJGp0sKg7BAu+G0Rk6teO1yPd75arbCvfY/NaRRQHk 6tmG71gpLdB1ZhP9IcNYyeTKXIgfMh2tVK9DnXGaksYCyi6WisJa1Oa+poUroX2ESXO6o03l VxiA1xyfG8lUzpUNZonGVrUjhG5+MdY16/6b0uKejZCLbgu6HLPvIyqdTb9XqF4XWWKu+OMD s/rWyQ64v3mvSa0te5Q5tchm4m9K0Pe9LlIKBk/gsgfaOHJDp4hYx4wocDr8DeCZe5d5wCFk xoGc1ckM8ZoMgpUc4pgkQE5ShxYMmKbPvNRPa5YFzbFtcFn5RMr1Mju8gt8J0c+dxYco2hi7 dEW391KKxGhv7MJBcc+0x3FFTnmhU+5t6+CnkKMlrmzyaoeVryRTvOiH4FnTNHtVKUYDsCM0 CLDdMNgoxgkCAwEAAaOCAX4wggF6MA4GA1UdDwEB/wQEAwIBhjBMBgNVHSUERTBDBggrBgEF BQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIGCisGAQQBgjcKAwwGCisGAQQBgjcKAwQGCSsG AQQBgjcVBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQAKTaeXHq6D68tUC3boCOF GLCgkjAfBgNVHSMEGDAWgBSubAWjkxPioufi1xzWx/B/yGdToDB7BggrBgEFBQcBAQRvMG0w LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjYwOwYIKwYB BQUHMAKGL2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjYuY3J0 MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yNi5j cmwwEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBDAUAA4ICAQCRkUdr1aIDRmkNI5jx 5ggapGUThq0KcM2dzpMu314mJne8yKVXwzfKBtqbBjbUNMODnBkhvZcnbHUStur2/nt1tP3e e8KyNhYxzv4DkI0NbV93JChXipfsan7YjdfEk5vI2Fq+wpbGALyyWBgfy79YIgbYWATB158t vEh5UO8kpGpjY95xv+070X3FYuGyeZyIvao26mN872FuxRxYhNLwGHIy38N9ASa1Q3BTNKSr HrZngadofHglG5W3TMFR11JOEOAUHhUgpbVVvgCYgGA6dSX0y5z7k3rXVyjFOs7KBSXrdJPK adpl4vqYphH7+P40nzBRcxJHrv5FeXlTrb+drjyXNjZSCmzfkOuCqPspBuJ7vab0/9oeNERg nz6SLCjLKcDXbMbKcRXgNhFBlzN4OUBqieSBXk80w2Nzx12KvNj758WavxOsXIbX0Zxwo1h3 uw75AI2v8qwFWXNclO8qW2VXoq6kihWpeiuvDmFfSAwRLxwwIjgUuzG9SaQ+pOomuaC7QTKW MI0hL0b4mEPq9GsPPQq1UmwkcYFJ/Z4I93DZuKcXmKMmuANTS6wxwIEw8Q5MQ6y9fbJxGEOg OgYL4QIqNULb5CYPnt2LeiIiEnh8Uuh8tawqSjnR0h7Bv5q4mgo3L1Z9QQuexUntWD96t4o0 q1jXWLyrpgP7ZcnuCzGCBD0wggQ5AgEBMGIwUjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEds b2JhbFNpZ24gbnYtc2ExKDAmBgNVBAMTH0dsb2JhbFNpZ24gR0NDIFI2IFNNSU1FIENBIDIw MjMCDARpjFjRXq3n5ymccDANBglghkgBZQMEAgEFAKCCAqwwGAYJKoZIhvcNAQkDMQsGCSqG SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjUwMzA2MTcxMzA0WjAvBgkqhkiG9w0BCQQxIgQg h16RILPAV9FkxlyOskFJZrZ8QiwH+pDIeX1w5TS8770wcQYJKwYBBAGCNxAEMWQwYjBSMQsw CQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYGA1UEAxMfR2xvYmFs U2lnbiBHQ0MgUjYgU01JTUUgQ0EgMjAyMwIMBGmMWNFerefnKZxwMHMGCyqGSIb3DQEJEAIL MWSgYjBSMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYGA1UE AxMfR2xvYmFsU2lnbiBHQ0MgUjYgU01JTUUgQ0EgMjAyMwIMBGmMWNFerefnKZxwMIIBVwYJ KoZIhvcNAQkPMYIBSDCCAUQwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzANBggqhkiG9w0DAgIBBTANBggqhkiG9w0DAgIBBTAHBgUrDgMCBzANBggqhkiG9w0DAgIB BTAHBgUrDgMCGjALBglghkgBZQMEAgEwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCAzALBglg hkgBZQMEAgQwCwYJYIZIAWUDBAIHMAsGCWCGSAFlAwQCCDALBglghkgBZQMEAgkwCwYJYIZI AWUDBAIKMAsGCSqGSIb3DQEBATALBgkrgQUQhkg/AAIwCAYGK4EEAQsAMAgGBiuBBAELATAI BgYrgQQBCwIwCAYGK4EEAQsDMAsGCSuBBRCGSD8AAzAIBgYrgQQBDgAwCAYGK4EEAQ4BMAgG BiuBBAEOAjAIBgYrgQQBDgMwDQYJKoZIhvcNAQEBBQAEggEAi6u4+IitIHblUAaGhi0+J+hQ iOAYHJnxJ4vHPGT7wr6RXU0MNLyvj1Q/LkjZhEJR+77CD7MUEVqWyivL2bLuuzggvGbPOrMt z8/roTjHKDVliU1hsZTbbfGDUOnQy+m24OszZv/RVdIcG5Q2fWhoF7pX8+aXDs3Jt+6N2bM2 jj/EhDGw8l8ct73cUSW5oaAF5ArFUCNpQPI342dIVbFgUQjpLYXR3yBqGn/F984bztXD+g+z BQ5q8HF4lJNVeAYorbfJhQNODr9x+kT1YYAxogKN/pKNbXeRdWhYKin5gDEPlSiISYub+gzG Il9aqJWAkqZXxSNgwe57PRaeIwO11wAAAAAAAA== --------------ms010706030504090605020902--
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Michael B Allen@ioplex@gmail.com to Stefan Kania on Thu Mar 6 17:23:49 2025
    From Newsgroup: comp.protocols.kerberos

    On Thu, Mar 6, 2025 at 11:45rC>AM Stefan Kania <stefan@kania-online.de> wrote:
    hi to all,
    is it possible to set an alais for the spn? We still having the problem
    doing kerberos authentication through a loadbalancer. We created a
    principal for the loadbalancer and a keytab. We then added the key to
    the ldap-keytab file, so we are having both, the ldap key for the server
    and the ldap key for the loadbalancer in one file. This file we use as
    keytab for the ldap-server. the client connets to the loadbalancer (with ldapsearch) and we are getting "err=49" and the log is showing that the
    spn is wrong. So we think with an alias for the spn for the loadbalancer
    it might work. Or is there any other way to get the
    kerberos-authentication through the loadbalancer?

    Hi Stefan,
    How are you load balancing LDAP exactly?
    The most common way to load balance LDAP is to use SRV records.
    Clients pick a server based on SRV record priority and weight.
    An SPN /is/ an alias for an account + secret so, no, I would not say you
    can have an alias for an SPN.
    Each service instance should have a unique DNS hostname with a unique SPN
    that probably refers to different accounts but it is common to have
    multiple SPNs reference the same account (albeit usually for different schemes).
    If your load balancing is more like a reverse proxy arrangement, that would mean clients are all using the same exact SPN which means each endpoint
    must use the same account + secret and thus the same key. This sounds like
    your point-of-failure.
    But I'm no expert on such things. I have never load balanced LDAP in any
    way other than the usual SRV record method.
    If you explain your architecture in a little more depth, you might get a
    better answer.
    Mike
    --
    Michael B Allen
    Java AD DS Integration
    https://www.ioplex.com/ <http://www.ioplex.com/>
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Jeffrey Hutzelman@jhutz@cmu.edu to Michael B Allen on Thu Mar 6 17:56:52 2025
    From Newsgroup: comp.protocols.kerberos

    It sounds like the setup uses a load balancer that accepts TCP connections
    and relays to some available server. Basically a reverse proxy at the TCP layer, and pretty common for this type of service (i.e. not HTTP). Unfortunately, the Cyrus SASL library used by OpenLDAP has a limitation in
    the GSSAPI mechanism, which is that it supports only a single service
    principal name(*). By default, that's ldap/<hostname>, using the machine's configured FQDN. You can configure it to use a different name, such as the
    one belonging to the shared load balancer VIP, but I'm afraid I don't
    recall exactly how offhand (and I'm not in front of a computer). So, you
    can support the server's individual name or the shared name, but not both. Years ago we patched Cyrus SASL to avoid this problem by allowing any
    principal whose keys appear in the keytab, but that unfortunately was never merged. The change is simple enough -- when calling gss_accept_sec_context,
    use GSS_C_NO_CREDENTIAL instead of going out of the way to call gss_acquire_cred to get a specific server credential.
    FWIW, our current solution to this issue at CMU is to use a DNS-based load balancer which returns the address of a different LDAP server on each
    lookup of ldap.cmu.edu. The servers then each only need to accept their own SPN, since the clients reverse resolve the LDAP server address before requesting a service ticket(**).
    * "service principal name" is the name of a principal used as a service. In Windows AD, this is often an alias for an "account", but that's an artifact
    of the design of AD. In other implementations including MITa and Heimdal, service principals are first-class objects just like client principals, and
    the question about aliasing is a reasonable one, though not really the
    cause of the problem here.
    ** RFC 4120 specifically said not to rely on insecure DNS queries for this,
    but that advice is unfortunately frequently ignored, by applications and libraries in ways that are hard to avoid. Fortunately, everyone seems to
    follow the corresponding advice for TLS and X.509 PKI, which essentially
    means that as long as you use ldaps and validate certificates, the reverse
    DNS lookup before calling SASL/GSS/Kerberos doesn't introduce any problem.
    On Thu, Mar 6, 2025, 17:25 Michael B Allen <ioplex@gmail.com> wrote:
    On Thu, Mar 6, 2025 at 11:45rC>AM Stefan Kania <stefan@kania-online.de> wrote:

    hi to all,
    is it possible to set an alais for the spn? We still having the problem doing kerberos authentication through a loadbalancer. We created a principal for the loadbalancer and a keytab. We then added the key to
    the ldap-keytab file, so we are having both, the ldap key for the server and the ldap key for the loadbalancer in one file. This file we use as keytab for the ldap-server. the client connets to the loadbalancer (with ldapsearch) and we are getting "err=49" and the log is showing that the
    spn is wrong. So we think with an alias for the spn for the loadbalancer
    it might work. Or is there any other way to get the
    kerberos-authentication through the loadbalancer?


    Hi Stefan,

    How are you load balancing LDAP exactly?

    The most common way to load balance LDAP is to use SRV records.
    Clients pick a server based on SRV record priority and weight.

    An SPN /is/ an alias for an account + secret so, no, I would not say you
    can have an alias for an SPN.

    Each service instance should have a unique DNS hostname with a unique SPN that probably refers to different accounts but it is common to have
    multiple SPNs reference the same account (albeit usually for different schemes).

    If your load balancing is more like a reverse proxy arrangement, that would mean clients are all using the same exact SPN which means each endpoint
    must use the same account + secret and thus the same key. This sounds like your point-of-failure.

    But I'm no expert on such things. I have never load balanced LDAP in any
    way other than the usual SRV record method.

    If you explain your architecture in a little more depth, you might get a better answer.

    Mike

    --
    Michael B Allen
    Java AD DS Integration
    https://www.ioplex.com/ <http://www.ioplex.com/> ________________________________________________
    Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Michael B Allen@ioplex@gmail.com to Jeffrey Hutzelman on Thu Mar 6 19:16:00 2025
    From Newsgroup: comp.protocols.kerberos

    On Thu, Mar 6, 2025 at 5:57rC>PM Jeffrey Hutzelman <jhutz@cmu.edu> wrote:
    Years ago we patched Cyrus SASL to avoid this problem by allowing any principal whose keys appear in the keytab, but that unfortunately was never merged.

    I thought that's how kerberos worked by default - just use the spn in the ap-req to lookup the base key from the keytab or wherever.
    Sounds gssapi got in the way of itself.
    * "service principal name" is the name of a principal used as a service.
    In Windows AD, this is often an alias for an "account", but that's an artifact of the design of AD. In other implementations including MITa and Heimdal, service principals are first-class objects just like client principals, and the question about aliasing is a reasonable one, though not really the cause of the problem here.

    Ah, ok. Clearly I'm exposing myself on the Internets again.
    ** RFC 4120 specifically said not to rely on insecure DNS queries for
    this, but that advice is unfortunately frequently ignored, by applications and libraries in ways that are hard to avoid. Fortunately, everyone seems
    to follow the corresponding advice for TLS and X.509 PKI, which essentially means that as long as you use ldaps and validate certificates, the reverse DNS lookup before calling SASL/GSS/Kerberos doesn't introduce any problem.

    Deploying CA certs is annoying.
    I've been thinking about adding a utility to my toolchain that does an LDAP bind with Kerberos and, if and only if mutual is successful, grab the CA
    cert from the SSL layer and offer to install it (like
    into jre/lib/security/cacerts for java in my case).
    Mike
    --
    Michael B Allen
    Java AD DS Integration
    https://www.ioplex.com/ <http://www.ioplex.com/>
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Jeffrey Hutzelman@jhutz@cmu.edu to Michael B Allen on Thu Mar 6 19:28:51 2025
    From Newsgroup: comp.protocols.kerberos

    On Thu, Mar 6, 2025, 19:16 Michael B Allen <ioplex@gmail.com> wrote:
    On Thu, Mar 6, 2025 at 5:57rC>PM Jeffrey Hutzelman <jhutz@cmu.edu> wrote:

    Years ago we patched Cyrus SASL to avoid this problem by allowing any
    principal whose keys appear in the keytab, but that unfortunately was never >> merged.


    I thought that's how kerberos worked by default - just use the spn in the ap-req to lookup the base key from the keytab or wherever.

    Sounds gssapi got in the way of itself.

    GSSAPI makes it easy to do this right, and that's the advice we've been
    giving for at least 20 years. Unfortunately, or also makes it easy to get
    the idea that servers have to acquire a credential to accept connections.
    ** RFC 4120 specifically said not to rely on insecure DNS queries for this,
    but that advice is unfortunately frequently ignored, by applications and
    libraries in ways that are hard to avoid. Fortunately, everyone seems to
    follow the corresponding advice for TLS and X.509 PKI, which essentially
    means that as long as you use ldaps and validate certificates, the reverse >> DNS lookup before calling SASL/GSS/Kerberos doesn't introduce any problem. >>

    Deploying CA certs is annoying.

    I've been thinking about adding a utility to my toolchain that does an
    LDAP bind with Kerberos and, if and only if mutual is successful, grab the
    CA cert from the SSL layer and offer to install it (like
    into jre/lib/security/cacerts for java in my case).

    That seems reasonable, if you trust the server to send the right CA cert.
    It would also work to use a Kerberos authenticated ssh connection, or set
    up something behind https://www.eyrie.org/~eagle/software/remctl/ to
    provide a CA cert. I agree, deploying CA certs or anything you can trust is annoying. Once you've done that once, better to make use of it for others.

    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Stefan Kania@stefan@kania-online.de to kerberos on Sat Mar 8 17:22:51 2025
    From Newsgroup: comp.protocols.kerberos

    This is a cryptographically signed message in MIME format.

    --------------ms080904010107000603090700
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    DQoNCkFtIDA3LjAzLjI1IHVtIDAyOjEwIHNjaHJpZWIgS2VuIEhvcm5zdGVpbiB2aWEgS2Vy YmVyb3M6DQo+PiBVbmZvcnR1bmF0ZWx5LCB0aGUgQ3lydXMgU0FTTCBsaWJyYXJ5IHVzZWQg YnkgT3BlbkxEQVAgaGFzIGEgbGltaXRhdGlvbiBpbg0KPj4gdGhlIEdTU0FQSSBtZWNoYW5p c20sIHdoaWNoIGlzIHRoYXQgaXQgc3VwcG9ydHMgb25seSBhIHNpbmdsZSBzZXJ2aWNlDQo+ PiBwcmluY2lwYWwgbmFtZSgqKS4gQnkgZGVmYXVsdCwgdGhhdCdzIGxkYXAvPGhvc3RuYW1l PiwgdXNpbmcgdGhlIG1hY2hpbmUncw0KPj4gY29uZmlndXJlZCBGUUROLiBZb3UgY2FuIGNv bmZpZ3VyZSBpdCB0byB1c2UgYSBkaWZmZXJlbnQgbmFtZSwgc3VjaCBhcyB0aGUNCj4+IG9u ZSBiZWxvbmdpbmcgdG8gdGhlIHNoYXJlZCBsb2FkIGJhbGFuY2VyIFZJUCwgYnV0IEknbSBh ZnJhaWQgSSBkb24ndA0KPj4gcmVjYWxsIGV4YWN0bHkgaG93IG9mZmhhbmQgKGFuZCBJJ20g bm90IGluIGZyb250IG9mIGEgY29tcHV0ZXIpLiBTbywgeW91DQo+PiBjYW4gc3VwcG9ydCB0 aGUgc2VydmVyJ3MgaW5kaXZpZHVhbCBuYW1lIG9yIHRoZSBzaGFyZWQgbmFtZSwgYnV0IG5v dCBib3RoLg0KPiANCj4gSWYgeW91IGFyZSB1c2luZyBNSVQgS2VyYmVyb3MgKGFueXRoaW5n IDEuMTAgb3IgbmV3ZXIpIG9uIHRoZSBMREFQIHNlcnZlciwNCj4geW91IGNhbiB1c2UgdGhl IGtyYjUuY29uZiBjb25maWd1cmF0aW9uIGVudHJ5ICJpZ25vcmVfYWNjZXB0b3JfaG9zdG5h bWUiDQo+IHRvIGFsbG93IHRoZSBzZXJ2ZXIgdG8gbWF0Y2ggb24gYW55IHZhbGlkIGhvc3Ru YW1lLiAgU2VlIGRldGFpbHMgaGVyZToNCj4gDQpIaSBLZW4sDQoNCnRoYXQgZGlkIGl0LiBU aGFuayB5b3UuIE5vdyB3ZSBnZXQgdGhlIHRpY2tldCB0cm91Z2ggdGhlIGxvYWRiYWxhbmNl ci4gDQpCdXQgT3BlbkxEQVAgaXMgY29tcGxhaW5pbmcgYWJvdXQgdGhlIG5hbWUgb2YgdGhl IHByaW5jaXBhbCBpcyBub3QgDQptYXRjaGluZyB0aGUgZnFkLg0KV0Ugbm93IHdpbGwgZ28g dGhlIHdheSB3aXRob3V0IHRoZSBsb2FkIGJhbGFuY2VyLiBXZSB3aWxsIHVzZSBTUlYtcmVj b3Jkcy4NCg0KU3RlZmFuDQo+IGh0dHBzOi8vd2ViLm1pdC5lZHUva2VyYmVyb3Mva3JiNS1s YXRlc3QvZG9jL2FkbWluL2NvbmZfZmlsZXMva3JiNV9jb25mLmh0bWwjbGliZGVmYXVsdHMN Cj4gDQo+IFNob3VsZCBkbyB3aGF0IHlvdSB3YW50Lg0KPiANCj4gLS1LZW4NCj4gDQo+IF9f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPiBLZXJi ZXJvcyBtYWlsaW5nIGxpc3QgICAgICAgICAgIEtlcmJlcm9zQG1pdC5lZHUNCj4gaHR0cHM6 Ly9tYWlsbWFuLm1pdC5lZHUvbWFpbG1hbi9saXN0aW5mby9rZXJiZXJvcw0KDQotLSANCg==


    --------------ms080904010107000603090700
    Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64
    Content-Disposition: attachment; filename="smime.p7s"
    Content-Description: Kryptografische S/MIME-Signatur

    MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DLMwggYDMIID66ADAgECAgwEaYxY0V6t5+cpnHAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExKDAmBgNVBAMTH0dsb2JhbFNpZ24g R0NDIFI2IFNNSU1FIENBIDIwMjMwHhcNMjQwOTI3MjAwMTE2WhcNMjcwOTI4MjAwMTE2WjBI MR8wHQYDVQQDDBZzdGVmYW5Aa2FuaWEtb25saW5lLmRlMSUwIwYJKoZIhvcNAQkBFhZzdGVm YW5Aa2FuaWEtb25saW5lLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk1Wp pY9PMd6TNd+nUvWJ3RkA7fXwaZYBPlz+HyIh43KCUohVW0dweP44qfMBHjlVrAsgC6+VI+bd EWjvF9ZcWLHIj/IxonVe1HnN1DfYwp7/1qigJBjmfNwcdqlHHgRJ/WW8TblYLshwB94c+b5L J6ScRf4KCLYgTjmX/+/OpV9Zfzn0NvGNfyakUpeEz/36Mr1UPtWVchsGpuCsoGbylE0AOZug z2yOoLxAmd5YYLVI0uZ3IM1iGZPVcN0P9r9F1Gap4Vm9mi6+chx+ScAu/WfdzaBVlFoXA7w6 X/QxpQXtnifpKxqE5qqrPqCCo9sXLLgD3yW1iFcBVTgzNyZQRwIDAQABo4IB4TCCAd0wDgYD VR0PAQH/BAQDAgWgMIGTBggrBgEFBQcBAQSBhjCBgzBGBggrBgEFBQcwAoY6aHR0cDovL3Nl Y3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3NnY2NyNnNtaW1lY2EyMDIzLmNydDA5Bggr BgEFBQcwAYYtaHR0cDovL29jc3AuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyNnNtaW1lY2EyMDIz MGUGA1UdIAReMFwwCQYHZ4EMAQUBATALBgkrBgEEAaAyASgwQgYKKwYBBAGgMgoDAzA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJBgNV HRMEAjAAMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nn Y2NyNnNtaW1lY2EyMDIzLmNybDAhBgNVHREEGjAYgRZzdGVmYW5Aa2FuaWEtb25saW5lLmRl MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBQAKTaeXHq6D68t UC3boCOFGLCgkjAdBgNVHQ4EFgQU0kHF9fFBXygVDjwNe5DkaSxVk3cwDQYJKoZIhvcNAQEL BQADggIBAL0WoW7dCmTQxxo1dMGyld5LLS9wCa7goc07GplzOsEJ5GmfeNGapy+dP2NfmenH XYKPnP/8hosTk6GDgck1HaP4wP5RvZ4ALVraLs4XSQiENz9954Sim3YzjFbG2aoqXpv/C0ha MwzR7LBCa/OwUJot5wO7R++6SE98/ZeYUqGDIgVcmH+UOYE/5yxM+M4aDXFUR2LCQO2ejPcZ a3QzlnMJUYPPw3U4Udbs9MRy40FunbmWUzu4yEddlo9GikG5NEI6wC7hFEpC4joYmvEZXRlT UqS8wug7QKRLyeLhXw04h0GYL0mrx1yj7x4CXqRjjRpterRlAkgFj2zEEpQ4DMiVcl8fZZ7T xkQGlbfa+HEp9y9/NluiNeoqAMF/lzS8haLHDXLdrdWPitBQazmcsyQ3LlcmeAMjchOIcUWt EKxIRCoedt6xbuIX5D2ul0H6rPE2BrimedwF6AZFPFk3/KHAbjhfkAElHiNjgg4uwUji+d9q zIR6Di3W2WdTCCwzp/6V2eEWdlQ8z8U4v3aF80fwzp6dOuFmti/mOayUrAYCUC6DBLjkA4EY MS6Nc1dr4f4dffnOceF4deCDN3nH8bRPEXs+kvnA91vw008dvJ+Df7jcJmDrt2tmzZPDTV6l neB5rj7E+6Qcvadj6c5hl7L5Tc/v6LZx6DCVX0BA2KpPMIIGqDCCBJCgAwIBAgIQfofDCS7X Zu8vIeKo0KeY9DANBgkqhkiG9w0BAQwFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3Qg Q0EgLSBSNjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0y MzA0MTkwMzUzNTNaFw0yOTA0MTkwMDAwMDBaMFIxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBH bG9iYWxTaWduIG52LXNhMSgwJgYDVQQDEx9HbG9iYWxTaWduIEdDQyBSNiBTTUlNRSBDQSAy MDIzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwjAEbSkPcSyn26Zn9VtoE/xB vzYmNW29bW1pJZ7jrzKwPJm/GakCvy0IIgObMsx9bpFaq30X1kEJZnLUzuE1/hlchatYqyOR VBeHlv5V0QRSXY4faR0dCkIhXhoGknZ2O0bUJithcN1IsEADNizZ1AJIaWsWbQ4tYEYjytEd vfkxz1WtX3SjtecZR+9wLJLt6HNa4sC//QKdjyfr/NhDCzYrdIzAssoXFnp4t+HcMyQTrj0r pD8KkPj96sy9axzegLbzte7wgTHbWBeJGp0sKg7BAu+G0Rk6teO1yPd75arbCvfY/NaRRQHk 6tmG71gpLdB1ZhP9IcNYyeTKXIgfMh2tVK9DnXGaksYCyi6WisJa1Oa+poUroX2ESXO6o03l VxiA1xyfG8lUzpUNZonGVrUjhG5+MdY16/6b0uKejZCLbgu6HLPvIyqdTb9XqF4XWWKu+OMD s/rWyQ64v3mvSa0te5Q5tchm4m9K0Pe9LlIKBk/gsgfaOHJDp4hYx4wocDr8DeCZe5d5wCFk xoGc1ckM8ZoMgpUc4pgkQE5ShxYMmKbPvNRPa5YFzbFtcFn5RMr1Mju8gt8J0c+dxYco2hi7 dEW391KKxGhv7MJBcc+0x3FFTnmhU+5t6+CnkKMlrmzyaoeVryRTvOiH4FnTNHtVKUYDsCM0 CLDdMNgoxgkCAwEAAaOCAX4wggF6MA4GA1UdDwEB/wQEAwIBhjBMBgNVHSUERTBDBggrBgEF BQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIGCisGAQQBgjcKAwwGCisGAQQBgjcKAwQGCSsG AQQBgjcVBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBQAKTaeXHq6D68tUC3boCOF GLCgkjAfBgNVHSMEGDAWgBSubAWjkxPioufi1xzWx/B/yGdToDB7BggrBgEFBQcBAQRvMG0w LgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjYwOwYIKwYB BQUHMAKGL2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L3Jvb3QtcjYuY3J0 MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vcm9vdC1yNi5j cmwwEQYDVR0gBAowCDAGBgRVHSAAMA0GCSqGSIb3DQEBDAUAA4ICAQCRkUdr1aIDRmkNI5jx 5ggapGUThq0KcM2dzpMu314mJne8yKVXwzfKBtqbBjbUNMODnBkhvZcnbHUStur2/nt1tP3e e8KyNhYxzv4DkI0NbV93JChXipfsan7YjdfEk5vI2Fq+wpbGALyyWBgfy79YIgbYWATB158t vEh5UO8kpGpjY95xv+070X3FYuGyeZyIvao26mN872FuxRxYhNLwGHIy38N9ASa1Q3BTNKSr HrZngadofHglG5W3TMFR11JOEOAUHhUgpbVVvgCYgGA6dSX0y5z7k3rXVyjFOs7KBSXrdJPK adpl4vqYphH7+P40nzBRcxJHrv5FeXlTrb+drjyXNjZSCmzfkOuCqPspBuJ7vab0/9oeNERg nz6SLCjLKcDXbMbKcRXgNhFBlzN4OUBqieSBXk80w2Nzx12KvNj758WavxOsXIbX0Zxwo1h3 uw75AI2v8qwFWXNclO8qW2VXoq6kihWpeiuvDmFfSAwRLxwwIjgUuzG9SaQ+pOomuaC7QTKW MI0hL0b4mEPq9GsPPQq1UmwkcYFJ/Z4I93DZuKcXmKMmuANTS6wxwIEw8Q5MQ6y9fbJxGEOg OgYL4QIqNULb5CYPnt2LeiIiEnh8Uuh8tawqSjnR0h7Bv5q4mgo3L1Z9QQuexUntWD96t4o0 q1jXWLyrpgP7ZcnuCzGCBD0wggQ5AgEBMGIwUjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEds b2JhbFNpZ24gbnYtc2ExKDAmBgNVBAMTH0dsb2JhbFNpZ24gR0NDIFI2IFNNSU1FIENBIDIw MjMCDARpjFjRXq3n5ymccDANBglghkgBZQMEAgEFAKCCAqwwGAYJKoZIhvcNAQkDMQsGCSqG SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjUwMzA4MTYyMjUxWjAvBgkqhkiG9w0BCQQxIgQg TmyyvhqaqUT1fxRyzs5NnUotidoZ4Z03zY1PQiS055YwcQYJKwYBBAGCNxAEMWQwYjBSMQsw CQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYGA1UEAxMfR2xvYmFs U2lnbiBHQ0MgUjYgU01JTUUgQ0EgMjAyMwIMBGmMWNFerefnKZxwMHMGCyqGSIb3DQEJEAIL MWSgYjBSMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEoMCYGA1UE AxMfR2xvYmFsU2lnbiBHQ0MgUjYgU01JTUUgQ0EgMjAyMwIMBGmMWNFerefnKZxwMIIBVwYJ KoZIhvcNAQkPMYIBSDCCAUQwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0D BzANBggqhkiG9w0DAgIBBTANBggqhkiG9w0DAgIBBTAHBgUrDgMCBzANBggqhkiG9w0DAgIB BTAHBgUrDgMCGjALBglghkgBZQMEAgEwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCAzALBglg hkgBZQMEAgQwCwYJYIZIAWUDBAIHMAsGCWCGSAFlAwQCCDALBglghkgBZQMEAgkwCwYJYIZI AWUDBAIKMAsGCSqGSIb3DQEBATALBgkrgQUQhkg/AAIwCAYGK4EEAQsAMAgGBiuBBAELATAI BgYrgQQBCwIwCAYGK4EEAQsDMAsGCSuBBRCGSD8AAzAIBgYrgQQBDgAwCAYGK4EEAQ4BMAgG BiuBBAEOAjAIBgYrgQQBDgMwDQYJKoZIhvcNAQEBBQAEggEAHBptjEZ470hpj07PdmH+6l6n q74OmqJcFRp2bcB5ez5y86bzfSyxuE8W24oeVOrsNsoMyQjj8kS8/U3u3X3Ca96IKRLGpBge cSHy5U8w9pbwmTbmLzoSJr1nmu3CvDtQT9ejPSub1NMjYnh7sTPc9OLhX/yD2xX2HBVYi784 GLBlYPMmHoaN2R0ldGowKrzAKm9FoCZ/SsmX1lZhf+iBsulBgkJ2FCkzN8dSWhD9B77ceQ12 5NfkiLNJqGbkJBkWhZoer0qoqoLO78o5wThRhuju9OCJbBKKp805fJ2B+pISlAV1jzHoCfZj yrEEHukpQDAO3gPE9NM7Oo0d3LuWAwAAAAAAAA== --------------ms080904010107000603090700--
    --- Synchronet 3.21d-Linux NewsLink 1.2