KfM 4.0b7: a few questions
akosut at Stanford.EDU
Wed Jan 30 02:42:00 EST 2002
A collection of comments on KfM 4.0b7:
1. The 4.0b7 installer not appear install the header files in
/usr/include on Mac OS X. The libraries are in /usr/lib, but I
can't find the header files. Everything in the Kerberos framework
seems fine, though. It could be just my Mac, though, I guess.
2. The CFM version number of UtilitiesLib seems to have changed again
in 4.0b7. I remember this occurring earlier in the 3.5/4.0 release
cycle as well. I currently build my CFM binaries against the KfM
3.5 SDK, which worked up until 4.0b6 (although, ironically, it
doesn't seem to work for 3.5 itself).
I'd like to be able to call unix_time_to_mac_time() and
gettimeofday(). I could roll my own, I guess, but I want to be
sure I'm using the same time information as KfM. Would it be safer
to just use GetSharedLibrary()/FindSymbol() instead of linking to
the UtilitiesLib stub library?
3. KfM will automatically invoke the login dialog when certain of the
Kerberos4Lib functions are called. I have an application that I
absolutely do not want to invoke a login dialog, but I want it to
use credentials if they already exist. I can call
KLCacheHasValidTickets() first, but on OS X at least, I've been
able to log out between that call and the next Kerberos call. Is
there some way, on either a per-application or per-call basis, to
disable the automatic login dialog?
a) Why is krb_get_cred() one of the functions that makes the login
dialog appear? This seems odd, since this function isn't supposed
to actually get new credentials from the TGS. Unless you're
requesting the tgt, initating a login dialog won't help.
b) get_ad_tkt() doesn't pop up the login dialog, but I happened to
notice that it will cause a crash if there are no credentials
4. We've gotten a couple complaints here about the login window: If
the user clicks on another window while the login server is
opening, they may never see the login dialog, since it ends up
behind the other app. Going back to their original application
doesn't help, and it appears to have hung, since it's waiting for
the login dialog to close. Sometimes they eventually find the
Kerberos Login Server icon in the dock.
Would it be possible to make the login dialog always appear in
front of other windows? This would solve this problem nicely. I
note that Mac OS X does this for keychain access dialogs, which
serve a similar purpose. I know that a Cocoa window can be set to
a level of NSStatusWindowLevel to do this; I don't know the
equivalent Carbon call, though I imagine there is one.
This would probably also reduce the problem I've seen from time to
time where the login dialog appears under such a globally-topmost
window, making it so you can't easily bring the login dialog
Other than that, though, 4.0b7 is running smoothly. I am very
Alexei Kosut <akosut at cs.stanford.edu> <http://www.stanford.edu/~akosut/>
More information about the krbdev