Net Identity Manager: Identity

Jeffrey Altman jaltman2 at nyc.rr.com
Thu Jul 6 17:44:22 EDT 2006


Sensei wrote:
> Hi, I've installed the new kfw to see the changes between the old leash
> and the new version.
> 
> I noticed a real hard difficulty in creating an identity. How can a
> user, a naive user, create his identity? It was quite easy in the old
> version, but now it seems difficult. The documentation does not even
> cover this aspect.
> 
> I have some testing realms without DNS SRV fields, and I asked a user
> (naive one, but used kfw/afs the old way) to download the last KfW and
> OpenAFS versions (configured using our configuration files), gain his
> ticket and AFS token. He couldn't even get a ticket because the OK
> button in creating credentials is not enabled. He also noticed as the
> old integrated logon does not work anymore. I know he could kinit/aklog
> but he's not happy about this.
> 
> Is there something that I can do to ease a user's life... and possibly
> ease even mine? :)

There is are several serious known bugs in KFW 3.0 that prevent me
from recommending its use.  These bugs are fixed in the source
repository and will be included in KFW 3.1.

(1) If the user's locale is not "en_US" then the Kerberos 5 Identity
    module cannot be loaded.

(2) If the user's principal name includes numeric characters it is
    treated as an invalid principal and ticket getting is disabled.

(3) There is a memory leak during credential renewal.

Until such time as KFW 3.1 is available.  I suggest that end user's
stick to KFW 2.6.5.

I keep a recent alpha build of pre-KFW 3.1 with the fixes in

  http://web.mit.edu/jaltman/Public/KFW/kfw-3.1-alpha/
  /afs/athena.mit.edu/user/j/a/jaltman/Public/KFW/kfw-3.1-alpha/

along with a matching NetIDMgr AFS plugin.  Feel free to evaluate
the code to ensure it works in your environment but please do not
distribute it to end users.

Jeffrey Altman



More information about the Kerberos mailing list