KfM 4.0b7: a few questions

Alexei Kosut akosut at Stanford.EDU
Wed Jan 30 18:26:01 EST 2002

On Wed, Jan 30, 2002 at 05:55:52PM -0500, Alexandra Ellwood wrote:
> >3. KfM will automatically invoke the login dialog when certain of the
> >    Kerberos4Lib functions are called.  I have an application that I
> >    absolutely do not want to invoke a login dialog, but I want it to
> >    use credentials if they already exist.  I can call
> >    KLCacheHasValidTickets() first, but on OS X at least, I've been
> >    able to log out between that call and the next Kerberos call.  Is
> >    there some way, on either a per-application or per-call basis, to
> >    disable the automatic login dialog?
> No, there is no way to do this.  Is there some technical problem with 
> our login dialog popping up in front of your application?

I've got a background application that performs some Kerberos services
on behalf of a user who's currently logged in.  One of these is to
obtain a AFS token after login.  When I detect that there's been a
login, my app goes and grabs an AFS service ticket and hands it to the
AFS cache manager.

However, if the user logs in, then immediately afterwards changes
their mind and hits Destroy Tickets, they are rewarded by another
login dialog, since my background app hits a Kerberos v4 call that
pops open the login dialog.  The same thing happens if they have
multiple logins, and hit "Destroy Tickets" several times in rapid
succession to clear them all.

I need a way to be able to obtain the service ticket, including
contacting the TGS if necessary, such that it simply fails silently if
there aren't valid credentials.

> >    Related comments:
> >
> >    a) Why is krb_get_cred() one of the functions that makes the login
> >    dialog appear?  This seems odd, since this function isn't supposed
> >    to actually get new credentials from the TGS.  Unless you're
> >    requesting the tgt, initating a login dialog won't help.
> Under Mac OS, we try to automatically prompt for tickets if they are 
> needed and unavailable.  From testing, we discovered that users often 
> get confused when presented with a "no credentials" error.  This also 
> mimics old KClient behavior, as well as the behavior of most Apple 
> services (such as accessing an alias to an AppleShare volume).

I understand that, and generally I like and appreciate the behavior.
It's the right thing to do in 99% of the the cases.  But I'm stuck in
the remaining 1% right now.

You didn't answer my question, though: Why is krb_get_cred() one of
the functions that makes the login dialog appear?  If I call this
function when there are no credentials, even I log in when the dialog
appears, the function is still going to fail with RET_NOTKT unless I'm
requesting the tgt.  It seems pointless to bring up the login dialog

It's not very important; I was just curious as to the rationale for
why certain functions invoke a dialog and others don't.

> >    b) get_ad_tkt() doesn't pop up the login dialog, but I happened to
> >    notice that it will cause a crash if there are no credentials
> >    available.
> This is a bug; it should be popping up the dialog.  It will be fixed 
> in the next release.

You'll fix the crash, too, right?  (i.e., if I hit "Cancel" at the
login dialog)

Alexei Kosut <akosut at cs.stanford.edu> <http://www.stanford.edu/~akosut/>

More information about the krbdev mailing list