ccapiserver -k not working in kfw-4.0.1?

Benjamin Kaduk kaduk at MIT.EDU
Fri Mar 8 12:14:20 EST 2013 

On Thu, 7 Mar 2013, Thomas Sondergaard wrote:

> On 06-03-2013 23:25, Benjamin Kaduk wrote:
>> On Wed, 6 Mar 2013, Thomas Sondergaard wrote:
>
> A few follow-up questions:
>
> Is the maturity of kwf-4.0.1 lower than kfw-3.2.2? On krbcc32s.exe I believe 
> the -k option works.

Well, that depends both on what you mean by maturity and what you mean by 
kfw.
Also, could you please point to where ccapiserver -k is documented? 
ccapiserver is not intended to be run manually, so far as I know.

> Is kfw-4.0.1 substantially the same or kfw-3.2.2 or has it been rewritten? 
> Can I trust it, is what I'm asking :-)

KfW 3.2 is based off the krb5 1.6 codebase, with some windows-specific 
bits like the Network Identity Manager and the krbcc32s.exe server.
KfW 4.0 is based off the krb5 1.10 codebase, with some windows-specific 
bits like the MIT Kerberos Ticket Manager application and its 
ccapiserver.exe.  The krb5-1.10 codebase is mature and well tested; the 
krb5-1.6 codebase is perhaps so mature so as to be stale -- it is 
certainly no longer supported by the security team.

The MIT Kerberos Ticket Manager application is based off the Leash 
codebase which was used in KfW 2.6, but updated for compatibility with 
modern versions of Windows and the Ribbon interface.  The ccapiserver for 
CCAPIv3 support is code that has not been previously released.  However, 
since you seem to not be using either the ticket manager application or 
the ccapiserver, it would seem that for your purposes, kfw-4.0.1 is mature 
and should be preferred.

>> src/windows/installer/wix/custom/custom.cpp:KillRunningProcessesSlave() is 
>> an existing routine which searches for and terminates other processes.  I 
>> don't think it's up to current Microsoft recommendations for doing so, but 
>> it may be useful as an example if you need a place to start.
>
> It it using the Process32First/Process32Next from the Tool Help Library. 
> There is also the EnumProcesses API. Either will work if we just want to run 
> through the processes and kill any process with the same executable file path 
> as us (except we shouldn't kill ourselves :-)). Is that good enough? I think 
> I can tinker that together, without too much trouble.

That sounds okay to me; I could take a patch for this.  The preferred 
submission path is a github pull request to https://github.com/krb5/krb5 
but we can handle other submissions as well.

> Is the ccapiserver only for Windows and mac, there doesn't seem to be a unix 
> implementation?

It is windows-only.  There is no unix implementation, and the kfm project 
is dead at this point.

> Will the ccapiserver work on a Windows multi-user machine? I assume each user 
> will have his own server in that case.

Yes on both counts.

-Ben

More information about the kfwdev mailing list