MIT Kerberos client and default cache

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

MIT Kerberos client and default cache

Pierre Dehaen
Hello list,

Configuration:
- Windows are clients of an AD
- Kfw 4.1 is used to acquire tickets from another realm
- Clients use tickets through Firefox to access apache applications
- All working well

In the Kfw GUI, next to the TGT of the additional realm, we see the TGT of the AD. The
former shows API: as credential cache, while the later shows MSLSA:, all good.

According to <https://mailman.mit.edu/pipermail/kerberos/2015-April/020637.html>: Once
you have a ticket, the "make default" button will set the registry entry for you.

That is the problem: once a user has clicked "Make default" while the AD ticket was by
chance selected, only one TGT can be acquired at a time, each Get Ticket overwrites all
existing tickets.

Okay, I can fix this in the registry... but users can't, that's too difficult/risky, and I don't find a
way to revert to the default credential cache from the GUI. Even the "Make default" trick does
not work anymore as all tickets are MSLSA tickets.

Any advice?

TIA,
Pierre Dehaen


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: MIT Kerberos client and default cache

Benjamin Kaduk-2
On Tue, Oct 16, 2018 at 09:40:42AM +0200, Pierre Dehaen wrote:

> Hello list,
>
> Configuration:
> - Windows are clients of an AD
> - Kfw 4.1 is used to acquire tickets from another realm
> - Clients use tickets through Firefox to access apache applications
> - All working well
>
> In the Kfw GUI, next to the TGT of the additional realm, we see the TGT of the AD. The
> former shows API: as credential cache, while the later shows MSLSA:, all good.
>
> According to <https://mailman.mit.edu/pipermail/kerberos/2015-April/020637.html>: Once
> you have a ticket, the "make default" button will set the registry entry for you.
>
> That is the problem: once a user has clicked "Make default" while the AD ticket was by
> chance selected, only one TGT can be acquired at a time, each Get Ticket overwrites all
> existing tickets.
>
> Okay, I can fix this in the registry... but users can't, that's too difficult/risky, and I don't find a
> way to revert to the default credential cache from the GUI. Even the "Make default" trick does
> not work anymore as all tickets are MSLSA tickets.
>
> Any advice?

Sadly, this is a "patches welcome" moment -- the issue has been known for
several years but has not been a development priority.  The best workaround
would be to clear the registry entry (and presumably you could prepare a
script/standalone tool to clear this specific registry key, that would be
safe for exposure to end users).

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos