[36077] in Kerberos
KfW 4.x (was Re: Windows KDC - Delegation Option)
daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Sat Apr 26 15:37:59 2014
Date: Sat, 26 Apr 2014 15:37:35 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Ben H <bhendin@gmail.com>
In-Reply-To: <CAAd7auZJ7d8DAZkSdxSJMKckP2+44WzSJGEg31rmfy2DSwiyBQ@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1404261525580.21026@multics.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Ben,
On Fri, 25 Apr 2014, Ben H wrote:
> That's interesting - thank you. I was able to actually validate what you
> stated by installing MIT Kerberos on my Window system and then configuring
> Putty's GSSAPI option to use the MIT GSSAPI libraries as preference.
> My first attempt with kfw-4.0.1 was unsuccessful and I suspect it has to do
> with how 4.01 integrates into the Windows LSA cache - I didn't seem able to
> separate my Windows tickets from the MIT ones (init/destroy in one location
> reflected in the other). I suspect I may have been able to find a way to
> configure it, but 4.01 seems very turnkey and I couldn't quickly find some
> way to customize this behavior.
The intention behind the KfW 4.0 GUI is that people using it would only be
using the API: credentials cache type, and would probably not be
interacting with the native Windows LSA cache (the MSLSA: cache type as
exposed by KfW). As such, the GUI does not offer a way to change what
cache will be used for new tickets obtained using the GUI; they will be
placed into the default cache. Since the API cache is collection-enabled,
it is possibl to have credentials for multiple principals present, and
they will be displayed in the ticket list. Since the LSA cache only
supports having one identity at a time, if the default cache is MSLSA:,
the new ticket will overwrite any preexisting ones.
I'm not sure how your system ended up in a state where the MSLSA: cache
was the default (there is a registry key to control this), but using the
KfW-provided kinit.exe and klist.exe can help understand what's going
on: klist AA will show what cache type is in use, and "kinit -c API:
<principal>" will create an API: cache, viewable from the GUI, which can
be made default therein.
We have had a couple of reports that the lack of visibility into the
default cache type can be confusing, and the upcoming 4.1 release should
include some functionality to help in this situation. I haven't decided
what exactly that will look like, though -- do you have a preference among
(1) another checkbox/display column for the cache name, (2) an option for
cache type in the "get ticket" window, (3) a warning when new tickets will
us the LSA cache, or (4) something else?
We really do appreciate getting feedback about the KfW 4.0 series.
Thanks,
Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
