[38361] in Kerberos
Re: MIT Kerberos client and default cache
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Tue Oct 16 13:55:36 2018
Date: Tue, 16 Oct 2018 12:55:15 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Pierre Dehaen <dehaenp@drever.be>
Message-ID: <20181016175515.GT19309@kduck.kaduk.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <5BC595FA.5847.235896B8@dehaenp.drever.be>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Oct 16, 2018 at 09:40:42AM +0200, Pierre Dehaen wrote:
> Hello list,
>
> Configuration:
> - Windows are clients of an AD
> - Kfw 4.1 is used to acquire tickets from another realm
> - Clients use tickets through Firefox to access apache applications
> - All working well
>
> In the Kfw GUI, next to the TGT of the additional realm, we see the TGT of the AD. The
> former shows API: as credential cache, while the later shows MSLSA:, all good.
>
> According to <https://mailman.mit.edu/pipermail/kerberos/2015-April/020637.html>: Once
> you have a ticket, the "make default" button will set the registry entry for you.
>
> That is the problem: once a user has clicked "Make default" while the AD ticket was by
> chance selected, only one TGT can be acquired at a time, each Get Ticket overwrites all
> existing tickets.
>
> Okay, I can fix this in the registry... but users can't, that's too difficult/risky, and I don't find a
> way to revert to the default credential cache from the GUI. Even the "Make default" trick does
> not work anymore as all tickets are MSLSA tickets.
>
> Any advice?
Sadly, this is a "patches welcome" moment -- the issue has been known for
several years but has not been a development priority. The best workaround
would be to clear the registry entry (and presumably you could prepare a
script/standalone tool to clear this specific registry key, that would be
safe for exposure to end users).
-Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
