Adventures with KfW 3.1b2
Henry B. Hotz
hotz at jpl.nasa.gov
Fri Nov 3 13:24:13 EST 2006
Installed on a W2K Virtual PC on MacOS 10.4.8. Windows Update seems
to think I have all the latest and greatest.
Nit: The credential window accumulates background-color garbage when
you drag other windows over it. View->Refresh view does fix the
problem.
Now we get to the real questions: Can I make Firefox do cross-realm
with the MIT libraries? I've set:
network.negotiate-auth.delegation-uris jpl.nasa.gov
network.negotiate-auth.gsslib C:\Program Files\MIT\lib\i386
\gssapi32.lib
network.negotiate-auth.trusted-uris https://
network.negotiate-auth.using-native-gsslib false.
Logout. (Don't reboot.)
"Failed to renew credentials for hotz at JPL..." on login. Opened
NetIDMgr and typed password to get new tgt. (I thought KfW used to
import the tgt (or at least the password to get a tgt with) as well
as the service tickets. I *think* I have all the relevant options set.)
Firefox works fine with web sites in the main JPL.NASA.GOV realm. I
want to use the MIT gssapi library because I want to configure some
specific machines to be in a different realm, even though there is no
DNS distinction. This is outside of AD.
Opened Firefox 2.0. Tried to connect to https://redhotz.jpl.nasa.gov/
cgi-bin/test-cgi.
Get a basic-auth prompt. Kerbtray shows a HTTP/
redhotz.jpl.nasa.gov at JPL.NASA.GOV, not a HTTP/... at HOTZ.JPL.NASA.GOV
service ticket. (If you reopen it. I guess it doesn't auto-
update.) NetIDMgr shows the same thing.
In a command prompt window "kvno -c API:hotz at JPL.NASA.GOV HTTP/
redhotz.jpl.nasa.gov at HOTZ.JPL.NASA.GOV" will correctly get the cross-
realm tgt, and the HTTP service principal.
Looks like Firefox is using the Windows SSPI instead of the MIT
GSSAPI library, in spite of the config items saying otherwise.
Nit: Should I attach any significance to klist -A (on Mac) vice
klist -C (on W2K)? Also the default "API:" ccache names are
completely different. This isn't wrong, just confusing for someone
trying to work cross-platform.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list