KfM 4.0b7: a few questions

Alexei Kosut akosut at Stanford.EDU
Wed Jan 30 02:42:00 EST 2002

A collection of comments on KfM 4.0b7:

1. The 4.0b7 installer not appear install the header files in
   /usr/include on Mac OS X.  The libraries are in /usr/lib, but I
   can't find the header files.  Everything in the Kerberos framework
   seems fine, though.  It could be just my Mac, though, I guess.

2. The CFM version number of UtilitiesLib seems to have changed again
   in 4.0b7.  I remember this occurring earlier in the 3.5/4.0 release
   cycle as well.  I currently build my CFM binaries against the KfM
   3.5 SDK, which worked up until 4.0b6 (although, ironically, it
   doesn't seem to work for 3.5 itself).

   I'd like to be able to call unix_time_to_mac_time() and
   gettimeofday().  I could roll my own, I guess, but I want to be
   sure I'm using the same time information as KfM.  Would it be safer
   to just use GetSharedLibrary()/FindSymbol() instead of linking to
   the UtilitiesLib stub library?

3. KfM will automatically invoke the login dialog when certain of the
   Kerberos4Lib functions are called.  I have an application that I
   absolutely do not want to invoke a login dialog, but I want it to
   use credentials if they already exist.  I can call
   KLCacheHasValidTickets() first, but on OS X at least, I've been
   able to log out between that call and the next Kerberos call.  Is
   there some way, on either a per-application or per-call basis, to
   disable the automatic login dialog?

   Related comments:

   a) Why is krb_get_cred() one of the functions that makes the login
   dialog appear?  This seems odd, since this function isn't supposed
   to actually get new credentials from the TGS.  Unless you're
   requesting the tgt, initating a login dialog won't help.

   b) get_ad_tkt() doesn't pop up the login dialog, but I happened to
   notice that it will cause a crash if there are no credentials

4. We've gotten a couple complaints here about the login window: If
   the user clicks on another window while the login server is
   opening, they may never see the login dialog, since it ends up
   behind the other app.  Going back to their original application
   doesn't help, and it appears to have hung, since it's waiting for
   the login dialog to close.  Sometimes they eventually find the
   Kerberos Login Server icon in the dock.

   Would it be possible to make the login dialog always appear in
   front of other windows?  This would solve this problem nicely.  I
   note that Mac OS X does this for keychain access dialogs, which
   serve a similar purpose.  I know that a Cocoa window can be set to
   a level of NSStatusWindowLevel to do this; I don't know the
   equivalent Carbon call, though I imagine there is one.

   This would probably also reduce the problem I've seen from time to
   time where the login dialog appears under such a globally-topmost
   window, making it so you can't easily bring the login dialog

Other than that, though, 4.0b7 is running smoothly.  I am very


Alexei Kosut <akosut at cs.stanford.edu> <http://www.stanford.edu/~akosut/>

More information about the krbdev mailing list