KfM 4.0b7: a few questions

Alexandra Ellwood lxs at MIT.EDU
Wed Jan 30 17:56:00 EST 2002

>3. KfM will automatically invoke the login dialog when certain of the
>    Kerberos4Lib functions are called.  I have an application that I
>    absolutely do not want to invoke a login dialog, but I want it to
>    use credentials if they already exist.  I can call
>    KLCacheHasValidTickets() first, but on OS X at least, I've been
>    able to log out between that call and the next Kerberos call.  Is
>    there some way, on either a per-application or per-call basis, to
>    disable the automatic login dialog?

No, there is no way to do this.  Is there some technical problem with 
our login dialog popping up in front of your application?

>    Related comments:
>    a) Why is krb_get_cred() one of the functions that makes the login
>    dialog appear?  This seems odd, since this function isn't supposed
>    to actually get new credentials from the TGS.  Unless you're
>    requesting the tgt, initating a login dialog won't help.

Under Mac OS, we try to automatically prompt for tickets if they are 
needed and unavailable.  From testing, we discovered that users often 
get confused when presented with a "no credentials" error.  This also 
mimics old KClient behavior, as well as the behavior of most Apple 
services (such as accessing an alias to an AppleShare volume).

I realize that KfM differs from Unix behavior.  However, on Unix, the 
user is almost always using a terminal window when they get the "no 
credentials" error.  Getting credentials then only involves typing 
"kinit" into an already running process.  This is much easier than 
finding the Kerberos application, waiting for it to launch, and 
clicking "Get Tickets".  The user may not even know where the 
Kerberos application is if the site has the 
Kerberos.loginAuthenticator installed, and the user's tickets have 
expired for the first time.  The user can run "kinit" from the 
terminal in Mac OS X, however, Terminal.app is probably not running 
by default.

Note that for command-line applications running in ssh/telnet/etc 
sessions, we mimic the Unix behavior and report the "no credentials" 
error.  We only pop up the dialog when the Window server is available.

>    b) get_ad_tkt() doesn't pop up the login dialog, but I happened to
>    notice that it will cause a crash if there are no credentials
>    available.

This is a bug; it should be popping up the dialog.  It will be fixed 
in the next release.

Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/

More information about the krbdev mailing list