From ghudson at MIT.EDU Fri Nov 4 02:02:39 2005 From: ghudson at MIT.EDU (Greg Hudson) Date: Fri, 4 Nov 2005 02:02:39 -0500 Subject: [Wocky] jabberd GSSAPI authentication support status Message-ID: <200511040702.jA472dIS019906@egyptian-gods.mit.edu> I spent a couple of days this week looking at how we might integrate GSSAPI support into jabberd, given that it's not in 2.0s10 as I previously thought. The short summary is that wocky.mit.edu is currently running a jabberd 2.1 snapshot with our krb5 authreg module added back in. I had to fix a few bugs and adjust some configurations, but it currently offers GSSAPI as an authentication mechanism, and password authentication over SSL still works. The current setup should be adequate for client code testing, but needs a lot of cleanup. The longer play-by-play: I found that jabberd's CVS repository didn't seem to have a commits mailing list, making it hard to figure out what commits might have been made related to Cyrus SASL support. I also found that jabberd might be relatively close to a 2.1 release, in that they're releasing 2.1 snapshots. So I decided for now to give up on a backport of the SASL support to 2.0, and to just start testing the latest 2.1 snapshot. The 2.1 code requires a fairly recent version of Cyrus SASL, more recent than the Athena build in /usr/athena/lib on wocky (network appears to using a layered Athena install on that machine). I did a local build of a more recent version of Cyrus SASL and ran into a host of library and linker path issues with that build. They were all solvable with enough effort, but I wonder if trying to build jabberd without /usr/athena in the include and library paths (which would imply using the native Kerberos build) would be better. I'll look into that later. While peering at the code responsible for requiring a recent version of Cyrus SASL, I noticed an apparent bug and fired off an email message to Simon Wilkinson asking for clarification. I haven't gotten an answer back, which is a little worrisome. The jabberd 2.1 code added some certificate verification support which was aimed at making c2s and s2s verify client certs presented by connecting hosts (see http://j2.openaether.org/bugzilla/show_bug.cgi?id=56). However, on our server it had the undesired side effect of making most of the jabberd components fail to connect to the router component because they couldn't verify the server cert provided by router (because it ends in a self-signed MIT cert). Since I'm not sure why it's desirable to be using SSL between jabberd components, I disabled the pemfile setting in the router.xml config file, thus disabling SSL connections between components and working around the problem. I also submitted a comment to bug 56 about this side-effect, but haven't received a response. With that problem fixed, the server starts up (and can be convinced to offer the GSSAPI mechanism by adding a config line to c2s.xml), but wouldn't accept password authentication over gaim any more. After a great deal of tracing, I discovered that some of the password-checking callbacks in the new SASL code weren't being passed to the SASL library and thus weren't taking effect; the upshot is that authreg modules don't work if they can't supply the desired password in plain text. I fixed that, along with another shallow bug revealed by that, and now password authentication works again. I sent more mail to Simon Wilkinson about my findings. If I continue to get no response, I can air this and the SSL certificate issue on the jabberd dev list. There don't appear to be massive code changes between 2.0 and 2.1 aside from the new SASL support. That means a backport of the SASL support is probably not a big deal, but it also means we might be better off just going with 2.1 since it's still a pretty familiar beast. From hallisey at MIT.EDU Mon Nov 7 16:08:17 2005 From: hallisey at MIT.EDU (Joanne M. Hallisey) Date: Mon, 7 Nov 2005 16:08:17 -0500 Subject: [Wocky] Brief Meeting Tuesday at 3:00 Message-ID: Hello, There will be a meeting Tuesday afternoon, Nov. 8, 2005 from 3:00 - 4:00, in W92-225. We will be doing a regular status update. The meeting is open to anyone interested in attending. Thanks, Joanne -- Joanne Hallisey Sr. Project Manager MIT - Information Services and Technology 617-253-1894 From ghudson at MIT.EDU Mon Nov 14 17:01:15 2005 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 14 Nov 2005 17:01:15 -0500 Subject: [Wocky] Kerberos authentication support status Message-ID: <200511142201.jAEM1F18022501@egyptian-gods.mit.edu> I've imported the 2005-10-02 jabberd CVS snapshot into the source repository andchecked in the necessary changes to get it to work. I submitted two of the relevant patches upstream (though I need to do so again in their bugtracker). Using Simon's patch from August (http://mailman.mit.edu/pipermail/wocky/2005-August/000007.html) I was able to test Kerberos authentication from gaim. I believe the server code is ready to be put on po15, and will pursue that with Mark soon. On the client side, Simon's patch from August worked for Kerberos authentication, but broke password authentication over SSL and clearly needed some work. About a month ago, Simon sent us mail offering new patches (http://mailman.mit.edu/pipermail/wocky/2005-October/000077.html) but then never followed up. I sent him a note today, but he's been unresponsive to my mail lately; I hope he's okay. If he's disappeared into thin air, we can eventually give up and use his August patch as a basis for our own work, but for now I'm going to move on to other issues and see if he gets back to me. From ghudson at MIT.EDU Tue Nov 15 14:33:16 2005 From: ghudson at MIT.EDU (Greg Hudson) Date: Tue, 15 Nov 2005 14:33:16 -0500 Subject: [Wocky] Configuring a chatroom after creation Message-ID: <200511151933.jAFJXGDg001181@egyptian-gods.mit.edu> Several times I've seen the question come up: after I've created and configured a chatroom, how do I change that configuration later? The short answer for Gaim is: /config The longer answer: Gaim's Jabber protocol plugin contains a number of slash commands, some of which access functionality not available through the menus. These appear to be patterned after IRC clients and include: ban clear config configure debug help invite join kick me msg nick part register say topic A "/help" will list the commands. I've seen conversations on the Gaim development list (not specifically related to Jabber) where some developers voiced a strong objection to slash commands, so this may be an area where Gaim 2.0 is very different. I don't know if Adium X or iChat is substantially different from Gaim in this area. From ghudson at MIT.EDU Wed Nov 16 14:57:33 2005 From: ghudson at MIT.EDU (Greg Hudson) Date: Wed, 16 Nov 2005 14:57:33 -0500 Subject: [Wocky] Upstream status note: Gaim and SRV support Message-ID: <200511161957.jAGJvXhU013921@egyptian-gods.mit.edu> While looking into the username vs. username at mit.edu issue, I noticed that the Gaim trunk code (destined for Gaim 2.0) has added SRV support for Jabber. That doesn't directly affect us for a while, but it's encouraging in that (a) it means substantive work is being done on Gaim's Jabber plugin, and (b) we'll get SRV support for free, eventually. (I'm not sure how much we care about working SRV support in the short term, but in the longer term it could be a springboard for client failover support, which could allow us to have multiple servers and have everything function seamlessly if one of them is suddenly knocked over.) From ghudson at MIT.EDU Thu Nov 17 13:30:52 2005 From: ghudson at MIT.EDU (Greg Hudson) Date: Thu, 17 Nov 2005 13:30:52 -0500 Subject: [Wocky] username vs. username@mit.edu Message-ID: <200511171830.jAHIUqkG026506@egyptian-gods.mit.edu> As we all know, one of our big usability issues with Jabber is that users commonly enter just a username into the buddy list and expect it to work like username at mit.edu would. I have discouraging news on this front. A Jabber JID looks like: jid = [ node "@" ] domain [ "/" resource ] That is, while "username at mit.edu" is the most common expected form of a JID, just plain old "mit.edu" is valid as well--but it is treated as a domain, not as a username. It's apparently common to write Jabber messages to things like "mit.edu/announce/online" to get certain automated behavior from the Jabber server. I initially thought this was not a big deal, because the spec required domains to contain a "." (or at least a ":" for IPv6 literal addresses) and most username do not, but apparently that's a mistake, not an intended restriction, and it's common in practice for people to send messages to "myserver/announce/online" without a dot in the domain name. The upshot is that Gaim developers are unwilling to accept a patch translating username into username at defaultdomain because it would be munging valid JIDs. The mail thread is at http://sourceforge.net/mailarchive/forum.php?thread_id=8988122&forum_id=9587 although the archive appears to be a little bit behind. It's too bad that Jabber's no-username form of a jid isn't @domain[/resource]; then there would be no ambiguity. But we can't go back in time and change that. I will still look into a server-side hack to make this behavior work. But we won't ever get a clean solution without an incompatible change to XMPP. From hallisey at MIT.EDU Thu Nov 17 15:56:21 2005 From: hallisey at MIT.EDU (Joanne Hallisey) Date: Thu, 17 Nov 2005 15:56:21 -0500 Subject: [Wocky] username vs. username@mit.edu In-Reply-To: <200511171830.jAHIUqkG026506@egyptian-gods.mit.edu> References: <200511171830.jAHIUqkG026506@egyptian-gods.mit.edu> Message-ID: <1E0646EF-0BA1-460D-BCF1-67A83498DB48@mit.edu> This is something that we should gauge user response to. If it is not a big deal to them, maybe you can wait. Joanne Hallisey Sr. Project Manager Information Services and Technology W92-153 617-253-1894 hallisey at mit.edu On Nov 17, 2005, at 1:30 PM, Greg Hudson wrote: > As we all know, one of our big usability issues with Jabber is that > users commonly enter just a username into the buddy list and expect it > to work like username at mit.edu would. > > I have discouraging news on this front. A Jabber JID looks like: > > jid = [ node "@" ] domain [ "/" resource ] > > That is, while "username at mit.edu" is the most common expected form of > a JID, just plain old "mit.edu" is valid as well--but it is treated as > a domain, not as a username. It's apparently common to write Jabber > messages to things like "mit.edu/announce/online" to get certain > automated behavior from the Jabber server. > > I initially thought this was not a big deal, because the spec required > domains to contain a "." (or at least a ":" for IPv6 literal > addresses) and most username do not, but apparently that's a mistake, > not an intended restriction, and it's common in practice for people to > send messages to "myserver/announce/online" without a dot in the > domain name. > > The upshot is that Gaim developers are unwilling to accept a patch > translating username into username at defaultdomain because it would be > munging valid JIDs. The mail thread is at > http://sourceforge.net/mailarchive/forum.php? > thread_id=8988122&forum_id=9587 > although the archive appears to be a little bit behind. > > It's too bad that Jabber's no-username form of a jid isn't > @domain[/resource]; then there would be no ambiguity. But we can't go > back in time and change that. > > I will still look into a server-side hack to make this behavior work. > But we won't ever get a clean solution without an incompatible change > to XMPP. > _______________________________________________ > Wocky mailing list > Wocky at mit.edu > http://mailman.mit.edu/mailman/listinfo/wocky From ghudson at MIT.EDU Thu Nov 17 16:06:34 2005 From: ghudson at MIT.EDU (Greg Hudson) Date: Thu, 17 Nov 2005 16:06:34 -0500 Subject: [Wocky] username vs. username@mit.edu In-Reply-To: <1E0646EF-0BA1-460D-BCF1-67A83498DB48@mit.edu> References: <200511171830.jAHIUqkG026506@egyptian-gods.mit.edu> <1E0646EF-0BA1-460D-BCF1-67A83498DB48@mit.edu> Message-ID: <1132261595.23682.86.camel@egyptian-gods.mit.edu> On Thu, 2005-11-17 at 15:56 -0500, Joanne Hallisey wrote: > This is something that we should gauge user response to. If it is > not a big deal to them, maybe you can wait. Perhaps. It's looking like we'll have to leave this one alone, disappointing as that is. I looked into a server-side hack for this, but it turns out to be harder than I had hoped. Jabberd 2 uses magic domain names like "c2s" and "sm" for communication between server components. So if I change it to parse all bare-word JIDs as username at mit.edu, I interfere with that, and the server stops working. Trying to change the JID more selectively (in message, presence, and roster requests received by c2s) looks to be difficult due to jabberd's architecture. I don't think Paul's compromise would convince the Gaim developers. Most of them are looking to reduce the number of configuration options in Gaim, not add to them. From computing-help at MIT.EDU Fri Nov 18 13:36:30 2005 From: computing-help at MIT.EDU (computing-help@MIT.EDU) Date: Fri, 18 Nov 2005 13:36:30 -0500 (EST) Subject: [Wocky] Case 919629: Jabber Service and Clients Message-ID: <200511181836.jAIIaUok004794@outgoing-legacy.mit.edu> Hi Wuen-E, You can send questions regarding the Jabber rollout wocky at mit.edu. I don't know how helpful this person can be, but that's our point of contact for the Jabber release. Hope this helps, Matthias MIT Computing Help Desk [11/18/05 1:36 PM thorn Sent Email to Client] =========================== Please retain the case reference in the subject line for future replies associated with this case From hallisey at MIT.EDU Fri Nov 18 13:44:09 2005 From: hallisey at MIT.EDU (Joanne Hallisey) Date: Fri, 18 Nov 2005 13:44:09 -0500 Subject: [Wocky] Next Meeting Message-ID: Hello, Just to give you some advance notice, we will be meeting on Tuesday, Nov. 22 at 3:00 in W92-225. Pleas send any agenda items. Thanks, Joanne -------------------------------------------- Joanne Hallisey Sr. Project Manager Information Services and Technology W92-153 617-253-1894 hallisey at mit.edu From wuene at pobox.upenn.edu Fri Nov 18 15:18:53 2005 From: wuene at pobox.upenn.edu (Wuen-E Hank Chang) Date: Fri, 18 Nov 2005 15:18:53 -0500 Subject: [Wocky] RE: Case 919629: Jabber Service and Clients In-Reply-To: <200511181836.jAIIaUok004794@outgoing-legacy.mit.edu> Message-ID: <001201c5ec7d$4c270560$f04e7ba5@LocalHost> Hi, I'm from the University of Pennsylvania and we were considering rolling out Jabber for the university here, and I was wondering if I could get some information and pick someone's mind on the feasibility, roll-out, procedure, best practices, installation, kerberization/security, logging, and scalability of the project, especially since you've already done the process up at MIT. Please let me know if there's someone better to contact. Thanks! ------------------------------------------------ Wuen-E Hank Chang Support-on-Site Dispatch Services, ISC Sansom West, Room 301B 3650 Chestnut Street Philadelphia, Pennsylvania 19104 work phone: 215.573.4427 email:wuene at isc.upenn.edu email:wuene at pobox.upenn.edu -----Original Message----- From: computing-help at MIT.EDU [mailto:computing-help at MIT.EDU] Sent: Friday, November 18, 2005 1:37 PM To: wuene at pobox.upenn.edu Cc: wocky at MIT.EDU Subject: Case 919629: Jabber Service and Clients Hi Wuen-E, You can send questions regarding the Jabber rollout wocky at mit.edu. I don't know how helpful this person can be, but that's our point of contact for the Jabber release. Hope this helps, Matthias MIT Computing Help Desk [11/18/05 1:36 PM thorn Sent Email to Client] =========================== Please retain the case reference in the subject line for future replies associated with this case From hallisey at MIT.EDU Tue Nov 22 11:06:20 2005 From: hallisey at MIT.EDU (Joanne M. Hallisey) Date: Tue, 22 Nov 2005 11:06:20 -0500 Subject: [Wocky] Jabber Project Announcement Message-ID: Hello, I am pleased to announce the startup of an IS&T project to introduce an MIT-wide Jabber messaging service. We hope to offer this service to users in a pilot capacity in September 2005. The project is #1127 in the IT work database. The project is sponsored by Theresa Regan. Joanne Hallisey is the Project Manager. Greg Hudson is the Technical Lead. The project plans to begin the pilot at the beginning of the fall 2005 semester. The pilot will be monitored for any unforeseen issues, and information will be collected during the semester to inform the support and service processes for a future production service. The project has had an ITAG review and initial contact has been made with SWRT, Training and Publications and the Computing Help Desk. If you think that the project should check in with your team, or if you have questions, please contact us at wocky at mit.edu. If you would like to follow the work of the project, please subscribe to the list membership. Thank you. Joanne -- Joanne Hallisey Sr. Project Manager MIT - Information Services and Technology 617-253-1894 -- Joanne Hallisey Sr. Project Manager MIT - Information Services and Technology 617-253-1894 From ghudson at MIT.EDU Wed Nov 23 01:27:06 2005 From: ghudson at MIT.EDU (Greg Hudson) Date: Wed, 23 Nov 2005 01:27:06 -0500 Subject: [Wocky] Single sign-on status update Message-ID: <200511230627.jAN6R62Y017369@egyptian-gods.mit.edu> jabber.mit.edu (which is no longer po15) now supports the GSSAPI SASL authentication mechanism. That isn't very exciting until we have clients which support it as well. Does iChat have any support for that, or is it expected to? We have some Gaim patches from Simon Wilkinson from August, which I've tested. They work for GSSAPI authentication but break password authentication, and have some other issues. I'm expecting to receive some updated client patches from Simon soon. From hallisey at MIT.EDU Wed Nov 23 09:30:40 2005 From: hallisey at MIT.EDU (Joanne Hallisey) Date: Wed, 23 Nov 2005 09:30:40 -0500 Subject: [Wocky] Meeting Notes and Next Steps: Jabber - November 22, 2005 Message-ID: <1C4F1FC5-99ED-4041-93D3-E535E291B0A3@mit.edu> November 22, 2005 Jabber IM Pilot Project The Jabber server has been moved off of po15. Greg has sent Mark Silis updates which have been deployed. The team discussed in more detail the criteria for deploying enterprise-wide. Our deliverable for December is to evaluate the pilot and make a decision. There are three possible recommendations: 1. deploy enterprise-wide - this then sets off a number of tasks for executing support and service plans (see draft below) 2. continue the pilot - this may be necessary if it is necessary to resolve some of the technical issues 3. do not introduce the service Some data that will help shape the recommendation: How many people have used the pilot clients? What are the statistics from the server for daily launches logins? What are the statistics from the server for unique logins? What is the estimated audience campus-wide? What is the uptake? How many messages are being exchanged? How many messages are exchanged per unit time (hour/other)? What is the load performance? Joanne and Greg will ask Mark Silis what kinds of statistics he can provide. Joanne will send a short survey to the original email lists invited to participate. Technical criteria? What are the technical requirements that have been met? What are the outstanding technical requirements? -GSS support. Greg is working on this, but there are still issues. Using ssl sending the password over the network to the server. Need to be sure that the client configuration is correct or it is sent in the clear. -Passwords if saved are saved in the clear. The nature of the program strongly encourages the user to save passwords. -Lack of feedback when a user tries to add someone to their buddy list. -Server to server functionality has not been enabled. Without this feature users cannot use Jabber to communicate with colleagues outside of MIT. -User names require @mit.edu. GAIM developers will not modify the code. Server-side hack is not feasible. Are any of the outstanding technical requirements ?showstoppers?? Is a collection of technical issues a ?showstopper?. There is an option to branch the development so that we do MIT fixes, but then, we have more maintenance overhead. Do not believe this is a good option. Support and Service Plan Computing Help Desk: The first line of support for the instant messaging service is the Computing Help Desk. The CHD will respond to incoming emails, phone calls, and case logs regarding problems related to the use of Jabber clients, GAIM and AdiumX including, acquisition (download), installation, configuration, network connectivity, general use for IM and chat. Training and Publications: The Publications group will maintain Web- based documentation that provides overview information, requirements and instructions for use and basic self-help information. The Training group will run periodic Quick Start classes (quarterly) Network Operations: The Network Operations team will set up, configure and maintain the test and production servers. Tasks to be Done: Training Help Desk Staff Quick Start for end users Documentation User documentation ? Web self - help FAQs and Stock Answers Software Release Write installers for Macintosh, Windows, Linux Create Product Web Pages NIST Acquire servers ? Set up and configure servers Establish process for making changes, maintaining the service -------------------------------------------- Joanne Hallisey Sr. Project Manager Information Services and Technology W92-153 617-253-1894 hallisey at mit.edu From jdreed at MIT.EDU Wed Nov 23 09:44:53 2005 From: jdreed at MIT.EDU (Jonathan Reed) Date: Wed, 23 Nov 2005 09:44:53 -0500 Subject: [Wocky] Meeting Notes and Next Steps: Jabber - November 22, 2005 In-Reply-To: <1C4F1FC5-99ED-4041-93D3-E535E291B0A3@mit.edu> References: <1C4F1FC5-99ED-4041-93D3-E535E291B0A3@mit.edu> Message-ID: > -GSS support. Greg is working on this, but there are still issues. >Using ssl sending the password over the network to the server. Need >to be sure that the client configuration is correct or it is sent in >the clear. If not a showstopper, I'd consider the lack of this reason to extend the pilot phase. If Jabber is to become MIT's preferred institute-wide messaging system, particularly on Athena, then Kerberos support is pretty much a necessity. It becomes a hassle to type your password multiple times throughout the day. Honestly, that's one of the reasons I don't log in to Jabber as much as I probably should - it's much easier to hit 'Cancel' then to keep typing my password, particularly on my laptop, where I often suspend the machine, resulting in disconnects. >Computing Help Desk: The first line of support for the instant >messaging service is the Computing Help Desk. The CHD will respond >to incoming emails, phone calls, and case logs regarding problems >related to the use of Jabber clients, GAIM and AdiumX including, >acquisition (download), installation, configuration, network >connectivity, general use for IM and chat. Athena Consulting will support gaim on Athena. >Software Release > Write installers for Macintosh, Windows, Linux There is no installer necessary for Linux - the gaim RPM is provided by Red Hat and is installed via up2date. We could provide an installer that installs some sort of wrapper script with a basic config, similar to what happens on Athena, however we do not currently do that for any other applications that ship with the OS and require configuration, such as Evolution. A web page with instructions on how to obtain the RPM via up2date and what values to fill in which dialog boxes should be sufficient for Linux. -Jon -- ------------------- Jonathan Reed jdreed at mit.edu ------------------- From awillis at MIT.EDU Wed Nov 23 10:05:32 2005 From: awillis at MIT.EDU (Albert Willis) Date: Wed, 23 Nov 2005 10:05:32 -0500 Subject: [Wocky] Single sign-on status update In-Reply-To: <200511230627.jAN6R62Y017369@egyptian-gods.mit.edu> References: <200511230627.jAN6R62Y017369@egyptian-gods.mit.edu> Message-ID: On Nov 23, 2005, at 1:27 AM, Greg Hudson wrote: > Does iChat have any support for that, or is it expected to? I'll ask for this as a "feature request". I'll report back what happens. -- Al ______________________________ Albert Willis Macintosh Platform Coordinator - Software Release Team Information Services and Technology Massachusetts Institute of Technology awillis at mit.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mit.edu/pipermail/wocky/attachments/20051123/2c9fa9ea/attachment.htm From atticus at MIT.EDU Wed Nov 23 18:28:53 2005 From: atticus at MIT.EDU (Atticus O Gifford) Date: Wed, 23 Nov 2005 18:28:53 -0500 Subject: [Wocky] MIT Gaim 1.5.0 for Windows (Beta 3) available for testing Message-ID: <20051123182853.blx1yqqm8p9cks4s@webmail.mit.edu> I've just uploaded a new installer for Gaim for Windows. The major addition is a tool to handle account creation. I'm going to polish it up a bit next week (more robust validation and info dialogs), but it will create new accounts nicely. If you run the installer in non-silent mode, it will run for the current user. A copy of the tool (Create MIT Account) is installed under the Start Menu->MIT Gaim 1.5->Tools as well for other users on the machine. Let me know if you have any problems with it. After I get the Mac installer out the door next week, I'll look at adding other features that may occur. Thanks, and have a great Thanksgiving, Atticus From ghudson at MIT.EDU Sun Nov 27 19:03:19 2005 From: ghudson at MIT.EDU (Greg Hudson) Date: Sun, 27 Nov 2005 19:03:19 -0500 Subject: [Wocky] [Fwd: Re: Jabber Kerberos patches] Message-ID: <1133136199.3870.9.camel@egyptian-gods.mit.edu> I will experiment with these tomorrow. -------------- next part -------------- An embedded message was scrubbed... From: Simon Wilkinson Subject: Re: Jabber Kerberos patches Date: Sun, 27 Nov 2005 18:02:10 +0000 Size: 37547 Url: http://mailman.mit.edu/pipermail/wocky/attachments/20051127/50a1b710/attachment.eml From ghudson at MIT.EDU Mon Nov 28 17:39:58 2005 From: ghudson at MIT.EDU (Greg Hudson) Date: Mon, 28 Nov 2005 17:39:58 -0500 Subject: [Wocky] New Gaim client patches Message-ID: <200511282239.jASMdw4U001823@egyptian-gods.mit.edu> I've reviewed and tested Simon's new patches. They take a very different approach from the previous set of patches he sent. Instead of integrating all authentication through the Cyrus SASL library, he implements just the GSSAPI mechanism, which turns out not to be very much code. Rather than link the Jabber plugin against the krb5 gssapi libraries, his code attempts to dynamically load the gssapi library at runtime. I identified the following issues: * Although his approach is fairly slick in terms of deployability, I'm not sure it has any hope of passing muster for upstream integration. In particular, his code contains a copy of the krb5 gssapi.h header file, hacked up so that it can declare typedefs instead of functions. * His initialization function calls g_module_open("gssapi32", ...) which is clearly targeted for Windows. I had to hack that to "/usr/athena/lib/libgssapi_krb5" for my test build to make it work. * His code doesn't return any useful information on errors; it just says there's been an authentication error. I hacked up a function to at least log the GSSAPI errors via gaim_debug. * He uses the user's JID domain, not the connect server hostname, for the GSSAPI domain, which results in the client trying to use xmpp/web.mit.edu at ATHENA.MIT.EDU as the service principal (since mit.edu canonicalizes to web.mit.edu). I hacked it to use "jabber.mit.edu" for my test build, since the connect server hostname isn't easily available in that part of the code. * His patch flags the Jabber protocol plugin as having optional passwords, so that Jabber accounts can be auto-logged in. As a result, if Kerberos authentication doesn't succeed on an auto-login attempt, password authentication also fails, rather than prompting the user for a password. I haven't checked against other protocol plugins to see if the gaim code has a way of handling this. I plan to consult with Paul at tomorrow's SDIT meeting to decide how to proceed. I've put up the sources and a Linux build at /afs/dev.mit.edu/project/jabber/gaim-krb5-hack in case people want to play with it.