ccapiserver -k not working in kfw-4.0.1?

[Thomas Sondergaard]

On 2013-03-08 18:14, Benjamin Kaduk wrote:
> On Thu, 7 Mar 2013, Thomas Sondergaard wrote:
>
>> On 06-03-2013 23:25, Benjamin Kaduk wrote:
>>> On Wed, 6 Mar 2013, Thomas Sondergaard wrote:
>>
>> A few follow-up questions:
>>
>> Is the maturity of kwf-4.0.1 lower than kfw-3.2.2? On krbcc32s.exe I 
>> believe the -k option works.
>
> Well, that depends both on what you mean by maturity and what you mean 
> by kfw.
> Also, could you please point to where ccapiserver -k is documented? 
> ccapiserver is not intended to be run manually, so far as I know.

"ccapiserver -h" is how I found it.

>
>> Is kfw-4.0.1 substantially the same or kfw-3.2.2 or has it been 
>> rewritten? Can I trust it, is what I'm asking :-)
>
> KfW 3.2 is based off the krb5 1.6 codebase, with some windows-specific 
> bits like the Network Identity Manager and the krbcc32s.exe server.
> KfW 4.0 is based off the krb5 1.10 codebase, with some 
> windows-specific bits like the MIT Kerberos Ticket Manager application 
> and its ccapiserver.exe.  The krb5-1.10 codebase is mature and well 
> tested; the krb5-1.6 codebase is perhaps so mature so as to be stale 
> -- it is certainly no longer supported by the security team.
>
> The MIT Kerberos Ticket Manager application is based off the Leash 
> codebase which was used in KfW 2.6, but updated for compatibility with 
> modern versions of Windows and the Ribbon interface.  The ccapiserver 
> for CCAPIv3 support is code that has not been previously released.  
> However, since you seem to not be using either the ticket manager 
> application or the ccapiserver, it would seem that for your purposes, 
> kfw-4.0.1 is mature and should be preferred.

Excellent, that makes me more confident in moving forward with kfw-4.0.1

>
>>> src/windows/installer/wix/custom/custom.cpp:KillRunningProcessesSlave() 
>>> is an existing routine which searches for and terminates other 
>>> processes.  I don't think it's up to current Microsoft 
>>> recommendations for doing so, but it may be useful as an example if 
>>> you need a place to start.
>>
>> It it using the Process32First/Process32Next from the Tool Help 
>> Library. There is also the EnumProcesses API. Either will work if we 
>> just want to run through the processes and kill any process with the 
>> same executable file path as us (except we shouldn't kill ourselves 
>> :-)). Is that good enough? I think I can tinker that together, 
>> without too much trouble.
>
> That sounds okay to me; I could take a patch for this.  The preferred 
> submission path is a github pull request to 
> https://github.com/krb5/krb5 but we can handle other submissions as well.

Perhaps the -k switch should simply be removed from the usage text if it 
is not intended to be there. I couldn't find anything like it in the mac 
code (which I gather is where this project started).

For my own purposes, I have discovered that I can avoid the ccapiserver 
and that the MEMORY: ticket cache will serve me best, so I don't really 
need ccapiserver at all.

Thanks a lot for all your help - it made a difference.

Thomas

-- 
Thomas Søndergaard
Technical R&D Manager

Mobile: (+45) 5157 3090
Skype: tsondergaard

Medical Insight A/S
Krumtappen 4, Etage 3
2500 Valby
Denmark