Automatic Prompting for Tickets on Windows

Joseph Jackson jackson at CMU.EDU
Wed Dec 3 14:39:04 EST 2003 

At Carnegie Mellon, I'm trying to move our calendaring and primary e-mail 
clients from a Kerberos 4 configuration to K5. On the client end of things, 
these two apps would bring us 90% closer to killing off K4.

The changes outlined below would help us tremendously with the migration. I 
think automatically prompting for user-id/password is the right behavior to 
present to end-users when they don't have tickets or the tickets have 
expired. We would probably implement local changes to get that behavior if 
it weren't coming in a release from MIT. Our chances of getting all the 
details right aren't very good, so I was very happy to see that it will be 
taken care of in the next release.

Thanks!

Joe Jackson,
Computing Services,
Carnegie Mellon University.


--On Tuesday, December 2, 2003 6:23 PM -0500 Alexandra Ellwood 
<lxs at mit.edu> wrote:

> At Sam's request, I have moved this discussion to krbdev at mit.edu.
>
> Note that this discussion is about very short term changes.  Please avoid
> comments on this thread like "but the whole mechanism is completely
> broken" unless you plan to give us a large cash donation and/or a time
> machine.  Do feel free to start your own thread discussing KfM and KfW's
> automatic prompting for tickets, but don't expect any of your feedback to
> be considered for krb5-1.3.2.
>
>
>> X-Sieve: CMU Sieve 2.2
>> Date: Tue, 25 Nov 2003 15:22:20 -0500
>> From: Jeffrey Altman <jaltman at columbia.edu>
>> Organization: Columbia University in the City of New York
>> X-Accept-Language: en-us, en
>> To: Alexandra Ellwood <lxs at MIT.EDU>, Tom Yu <tlyu at MIT.EDU>
>> Subject: marshall requests gssapi to produce a kinit dialog when there
>> are no tickets on windows
>>
>> alexis, tom:
>>
>> marshall asked me to contact the two of you.  to make umich happy,
>> he would like kfw to display a kinit dialog when there are either
>> "no tgts" or "expired tgts" when gssapi is being called by an
>> application.  in keeping with the desire to match the behavior of
>> kfm and kfw I would like to know how this functionality is
>> implemented in kfm.  I did not see any kfm specific code in the
>> krb5/src/lib/gssapi/krb5/*.c.  How is the failure to obtain a
>> credential hooked?  Is it via a wrapper library?
>>
>> is there different behavior for the cases: "no tgts" and "expired tgts"?
>>
>> thanks,
>>
>> - Jeff
>>
>> p.s. - the timeframe for this change is 1.3.2.

More information about the krbdev mailing list