Net Identity Manager: Identity - Kerberos

This is a discussion on Net Identity Manager: Identity - Kerberos ; Hi, I've installed the new kfw to see the changes between the old leash and the new version. I noticed a real hard difficulty in creating an identity. How can a user, a naive user, create his identity? It was ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Net Identity Manager: Identity

  1. Net Identity Manager: Identity

    Hi, I've installed the new kfw to see the changes between the old leash
    and the new version.

    I noticed a real hard difficulty in creating an identity. How can a
    user, a naive user, create his identity? It was quite easy in the old
    version, but now it seems difficult. The documentation does not even
    cover this aspect.

    I have some testing realms without DNS SRV fields, and I asked a user
    (naive one, but used kfw/afs the old way) to download the last KfW and
    OpenAFS versions (configured using our configuration files), gain his
    ticket and AFS token. He couldn't even get a ticket because the OK
    button in creating credentials is not enabled. He also noticed as the
    old integrated logon does not work anymore. I know he could kinit/aklog
    but he's not happy about this.

    Is there something that I can do to ease a user's life... and possibly
    ease even mine?

    --
    Sensei

    The optimist thinks this is the best of all possible worlds.
    The pessimist fears it is true. [J. Robert Oppenheimer]


  2. Re: Net Identity Manager: Identity

    Sensei wrote:
    > Hi, I've installed the new kfw to see the changes between the old leash
    > and the new version.
    >
    > I noticed a real hard difficulty in creating an identity. How can a
    > user, a naive user, create his identity? It was quite easy in the old
    > version, but now it seems difficult. The documentation does not even
    > cover this aspect.
    >
    > I have some testing realms without DNS SRV fields, and I asked a user
    > (naive one, but used kfw/afs the old way) to download the last KfW and
    > OpenAFS versions (configured using our configuration files), gain his
    > ticket and AFS token. He couldn't even get a ticket because the OK
    > button in creating credentials is not enabled. He also noticed as the
    > old integrated logon does not work anymore. I know he could kinit/aklog
    > but he's not happy about this.
    >
    > Is there something that I can do to ease a user's life... and possibly
    > ease even mine?


    There is are several serious known bugs in KFW 3.0 that prevent me
    from recommending its use. These bugs are fixed in the source
    repository and will be included in KFW 3.1.

    (1) If the user's locale is not "en_US" then the Kerberos 5 Identity
    module cannot be loaded.

    (2) If the user's principal name includes numeric characters it is
    treated as an invalid principal and ticket getting is disabled.

    (3) There is a memory leak during credential renewal.

    Until such time as KFW 3.1 is available. I suggest that end user's
    stick to KFW 2.6.5.

    I keep a recent alpha build of pre-KFW 3.1 with the fixes in

    http://web.mit.edu/jaltman/Public/KFW/kfw-3.1-alpha/
    /afs/athena.mit.edu/user/j/a/jaltman/Public/KFW/kfw-3.1-alpha/

    along with a matching NetIDMgr AFS plugin. Feel free to evaluate
    the code to ensure it works in your environment but please do not
    distribute it to end users.

    Jeffrey Altman

  3. Re: Net Identity Manager: Identity

    On 2006-07-06 23:44:22 +0200, Jeffrey Altman said:

    > There is are several serious known bugs in KFW 3.0 that prevent me
    > from recommending its use. These bugs are fixed in the source
    > repository and will be included in KFW 3.1.
    >
    > (1) If the user's locale is not "en_US" then the Kerberos 5 Identity
    > module cannot be loaded.
    >
    > (2) If the user's principal name includes numeric characters it is
    > treated as an invalid principal and ticket getting is disabled.
    >
    > (3) There is a memory leak during credential renewal.
    >
    > Until such time as KFW 3.1 is available. I suggest that end user's
    > stick to KFW 2.6.5.
    >
    > I keep a recent alpha build of pre-KFW 3.1 with the fixes in
    >
    > http://web.mit.edu/jaltman/Public/KFW/kfw-3.1-alpha/
    > /afs/athena.mit.edu/user/j/a/jaltman/Public/KFW/kfw-3.1-alpha/
    >
    > along with a matching NetIDMgr AFS plugin. Feel free to evaluate
    > the code to ensure it works in your environment but please do not
    > distribute it to end users.


    Thanks Jeffrey. I will test the new 3.1 alpha, and 2.6 as you suggested
    for ``production''.

    --
    Sensei

    The optimist thinks this is the best of all possible worlds.
    The pessimist fears it is true. [J. Robert Oppenheimer]


+ Reply to Thread