Adventures with KfW 3.1b2
jaltman at secure-endpoints.com
Fri Nov 3 16:23:54 EST 2006
Henry B. Hotz wrote:
> Installed on a W2K Virtual PC on MacOS 10.4.8. Windows Update seems
> to think I have all the latest and greatest.
> Nit: The credential window accumulates background-color garbage when
> you drag other windows over it. View->Refresh view does fix the
This is a known problem. I'm not sure why the redraw regions are not
matching up with what needs to be repainted yet. However, the problem
is superficial so I am not going to hold up KFW 3.1 final for this.
> Now we get to the real questions: Can I make Firefox do cross-realm
> with the MIT libraries? I've set:
> network.negotiate-auth.delegation-uris jpl.nasa.gov
> network.negotiate-auth.gsslib C:\Program Files\MIT\lib\i386
> network.negotiate-auth.trusted-uris https://
> network.negotiate-auth.using-native-gsslib false.
> Logout. (Don't reboot.)
> "Failed to renew credentials for hotz at JPL..." on login. Opened
> NetIDMgr and typed password to get new tgt. (I thought KfW used to
> import the tgt (or at least the password to get a tgt with) as well
> as the service tickets. I *think* I have all the relevant options set.)
What is the "default" identity set to?
We don't import the credentials from the MSLSA: ccache now that it can
be used directly as the default.
> Firefox works fine with web sites in the main JPL.NASA.GOV realm. I
> want to use the MIT gssapi library because I want to configure some
> specific machines to be in a different realm, even though there is no
> DNS distinction. This is outside of AD.
I think you are suffering from the fact that your AD realm and Heimdal
realms both have the same name. Therefore, you can't use the MSLSA:
credentials at all. And yet, because identities in both realms have the
same name it is not possible for us to distinguish which should be used
> Opened Firefox 2.0. Tried to connect to https://redhotz.jpl.nasa.gov/
> Get a basic-auth prompt. Kerbtray shows a HTTP/
> redhotz.jpl.nasa.gov at JPL.NASA.GOV, not a HTTP/... at HOTZ.JPL.NASA.GOV
> service ticket. (If you reopen it. I guess it doesn't auto-
> update.) NetIDMgr shows the same thing.
If kerbtray is showing the ticket, this indicates that the MSLSA:
version of the identity is being used.
> In a command prompt window "kvno -c API:hotz at JPL.NASA.GOV HTTP/
> redhotz.jpl.nasa.gov at HOTZ.JPL.NASA.GOV" will correctly get the cross-
> realm tgt, and the HTTP service principal.
> Looks like Firefox is using the Windows SSPI instead of the MIT
> GSSAPI library, in spite of the config items saying otherwise.
Or that the GSSAPI is using the MSLSA: credential cache.
> Nit: Should I attach any significance to klist -A (on Mac) vice
> klist -C (on W2K)? Also the default "API:" ccache names are
> completely different. This isn't wrong, just confusing for someone
> trying to work cross-platform.
They are different.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20061103/45a13a1e/attachment.bin
More information about the krbdev