Adventures with KfW 3.1b2

Jeffrey Altman jaltman at secure-endpoints.com
Fri Nov 3 16:23:54 EST 2006 

Henry B. Hotz wrote:
> Installed on a W2K Virtual PC on MacOS 10.4.8.  Windows Update seems  
> to think I have all the latest and greatest.
> 
> Nit:  The credential window accumulates background-color garbage when  
> you drag other windows over it.  View->Refresh view does fix the  
> problem.

This is a known problem.  I'm not sure why the redraw regions are not
matching up with what needs to be repainted yet.  However, the problem
is superficial so I am not going to hold up KFW 3.1 final for this.

> Now we get to the real questions:  Can I make Firefox do cross-realm  
> with the MIT libraries?  I've set:
> 
> network.negotiate-auth.delegation-uris		jpl.nasa.gov
> network.negotiate-auth.gsslib		C:\Program Files\MIT\lib\i386 
> \gssapi32.lib
> network.negotiate-auth.trusted-uris		https://
> network.negotiate-auth.using-native-gsslib	false.
> 
> Logout.  (Don't reboot.)
> 
> "Failed to renew credentials for hotz at JPL..." on login.  Opened  
> NetIDMgr and typed password to get new tgt.  (I thought KfW used to  
> import the tgt (or at least the password to get a tgt with) as well  
> as the service tickets.  I *think* I have all the relevant options set.)

What is the "default" identity set to?

We don't import the credentials from the MSLSA: ccache now that it can
be used directly as the default.

> Firefox works fine with web sites in the main JPL.NASA.GOV realm.  I  
> want to use the MIT gssapi library because I want to configure some  
> specific machines to be in a different realm, even though there is no  
> DNS distinction.  This is outside of AD.

I think you are suffering from the fact that your AD realm and Heimdal
realms both have the same name.  Therefore, you can't use the MSLSA:
credentials at all.  And yet, because identities in both realms have the
same name it is not possible for us to distinguish which should be used
automatically.

> Opened Firefox 2.0.  Tried to connect to https://redhotz.jpl.nasa.gov/ 
> cgi-bin/test-cgi.
> 
> Get a basic-auth prompt.  Kerbtray shows a HTTP/ 
> redhotz.jpl.nasa.gov at JPL.NASA.GOV, not a HTTP/... at HOTZ.JPL.NASA.GOV  
> service ticket.  (If you reopen it.  I guess it doesn't auto- 
> update.)  NetIDMgr shows the same thing.

If kerbtray is showing the ticket, this indicates that the MSLSA:
version of the identity is being used.

> In a command prompt window "kvno -c API:hotz at JPL.NASA.GOV HTTP/ 
> redhotz.jpl.nasa.gov at HOTZ.JPL.NASA.GOV" will correctly get the cross- 
> realm tgt, and the HTTP service principal.
> 
> Looks like Firefox is using the Windows SSPI instead of the MIT  
> GSSAPI library, in spite of the config items saying otherwise.

Or that the GSSAPI is using the MSLSA: credential cache.

> Nit:  Should I attach any significance to klist -A (on Mac) vice  
> klist -C (on W2K)?  Also the default "API:" ccache names are  
> completely different.  This isn't wrong, just confusing for someone  
> trying to work cross-platform.

They are different.

Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20061103/45a13a1e/attachment.bin

More information about the krbdev mailing list