[31536] in Kerberos
Re: Fwd:Windows 7 Kerb bug
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Tue Oct 6 06:52:37 2009
X-Envelope-From: jaltman@secure-endpoints.com
Message-ID: <4ACB2144.4020100@secure-endpoints.com>
Date: Tue, 06 Oct 2009 06:51:48 -0400
From: Jeffrey Altman <jaltman@secure-endpoints.com>
MIME-Version: 1.0
To: redelson@MIT.EDU
In-Reply-To: <8DD7AD829AB61E499A433D6E558110A308438349@EXPO7.exchange.mit.edu>
Cc: "akozlov@mit.edu" <akozlov@MIT.EDU>,
"windows7-release@mit.edu" <windows7-release@MIT.EDU>,
"kerberos@mit.edu" <kerberos@MIT.EDU>
Reply-To: jaltman@secure-endpoints.com
Content-Type: multipart/mixed; boundary="===============0181759796=="
Errors-To: kerberos-bounces@MIT.EDU
This is a cryptographically signed message in MIME format.
--===============0181759796==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms020105090803080102020104"
This is a cryptographically signed message in MIME format.
--------------ms020105090803080102020104
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Richard:
I too am frustrated by the lack of information being distributed
by the MIT Kerberos Consortium regarding the future of KFW.
I heard a rumor that Network Identity Manager was being removed
from KFW last Summer and then KFW 3.2.3 Alpha shipped once again
with v1.3. The Consortium Roadmap doesn't even make a reference
to KFW.
http://k5wiki.kerberos.org/wiki/Roadmap
Whether or not the Consortium decides to stop shipping Network
Identity Manager with KFW, it is not going away. Version 2.0 has
been in a state of being just about ready for nearly six months.
There are also active project proposals to implement Network
Identity Manager on Linux and MacOS X. If you are aware of issues
with Network Identity Manager that have not already been addressed
I would like to hear about them.
Many of the issues that I am aware of at large sites with complex
multi-realm environments such as MIT can be avoided by applying
the appropriate configuration information to the MSI as a transform
or publishing configuration data via Group Policy to managed
machines. One of the areas which has been confusing for sites
that deploy Network Identity Manager is a lack of understanding
that not all of the functionality that is exported via the user
interface is actually part of Network Identity Manager.=20
One of the primary development goals of Network Identity Manager
was to remove the burden from the MIT Kerberos team of maintaining
support for third party derivative credential types such as AFS
tokens. Network Identity Manager provides an agnostic framework
into which Identity Providers, Credential Providers, and Tool
Providers permit the customization of the user experience for the
organization based upon the identity sources and credential types
required for the organization. Since the MIT Kerberos team could
not support arbitrary credential types, there was always pressure
from outside to add something new or tweak the support for AFS
in a manner required by a local institution. The failure of MIT
to respond was a forking of the user experience across institutions.
Stanford, UMich, Cornell, Rose-Hulman, and many others had to
expend resources to develop their own local credential management
tools. Once the credential management tools are being distributed
locally the temptation to fork the KFW sources and produce
incompatible libraries is quite high. Incompatible libraries
at different sites result in a high support cost for application
developers. Convincing developers to add support for Kerberos
is already hard enough without such challenges.
The experience of Secure Endpoints when it was responsible for
supporting MIT had significant input into the Network Identity
Manager design. MIT has a centralized identity provider (the
ATHENA.MIT.EDU realm) but it also has a large number of
decentralized Windows domains that are also Kerberos providers.=20
To obtain access to central resources and many of the department
AFS cells the ATHENA.MIT.EDU identity must be used. However, the
local Windows domain identity was required for accessing other
resources. It was critical that users be able to make use of
both identities when they are available.
The primary frustrations that I am aware of with v1.3 is the Leash32
style "obtain credentials dialog" which requires the user to enter
the user name, realm, and password along with the lack of a wizard
to walk the user through the configuration of third party providers
such as the OpenAFS provider. The OpenAFS provider was broken by
the referrals support that went into KFW 3.2.x. No bug reports were
filed against OpenAFS for more than a year. It was fixed immediately
after a report was received but if your users had one of the broken
builds I'm sure they were quite frustrated.
In any case, Network Identity Manager v2 includes significant new
functionality that is the result of feedback received at the 2007
SOAP conference at Carnegie-Mellon where the application underwent
a usability evaluation as well as from the sites which rely upon it
as their primary user interface to end users:
1. A new identity creation wizard which prompts the user for the
type of identity and walks the user through the creation of
the identity and configuration of all of the available credential
providers that are compatible with that identity.
2. A new obtain credentials dialog which avoids the need for users to
enter their name and realm for each request. Instead, once an
identity is defined the users simply select it from a list.
3. Support for multiple identity providers. Kerberos v5 is no longer
exclusive. This will permit the addition of X.509 identities
in the future which can be used to obtain credentials for multiple
Kerberos v5 principals perhaps from multiple realms.
4. A Keystore identity provider is included which permits acquiring
TGTs and derived credentials for multiple identities with one
local authentication.
5. A new progress dialog that explains what the various credential
providers are doing during a new credential acquisition or a renewa=
l.
6. User assignment of icons to each network identity
7. Addition of an animated battery for each identity which shows
valid lifetime and can be used to initiate renewal.
8. Addition of a star to indicate the current default identity instead=
of a color palette change.
Here are some screen shots:
* http://www.secure-endpoints.com/netidmgr/v2/nim-basic-icons.PNG
* http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-idsel.PNG=
* http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-basic-ks.=
PNG
* http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-idspec.PN=
G
* http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-adv-ks.PN=
G
* http://www.secure-endpoints.com/netidmgr/v2/nim-new-creds-progress.=
PNG
A presentation on Network Identity Manager v2 was given at the 2009 AFS &=
Kerberos Best Practices Workshop by Asanka Herath, Daniel Kou=C5=99il, an=
d
myself.=20
http://workshop.openafs.org/afsbpw09/thu_3_3.html
Many peer institutions including Stanford University, Carnegie Mellon and=
FermiLab are extremely happy with Network Identity Manager and Secure
Endpoints has a direct channel to their help desks. Whenever there were
problems with Network Identity Manager, they were addressed in subsequent=
releases.
I should point out that due to MIT's discomfort with the switch from
Leash32
to NetIdMgr that the KFW 3.2.x 32-bit MSI does include the leash32
binary and
MIT can apply a transform to the MSI that will install leash32 and not
Network Identity Manager 1.3. If the reason that MIT has continued to sh=
ip
KFW 2.6.5 for all of these years is a dislike for Network Identity Manage=
r,
it has done so for no good reason. Of course, this is only true for 32-b=
it
platforms because Leash32 will not compile on 64-bit platforms.
Regarding Network Identity Manager release schedules, I am hoping to be a=
ble
to ship v2 by the end of this month. I do not know whether it will be
shipped
as part of a KFW package, or standalone, or whether the Network Identity
Manager
distribution will include a bundled Kerberos distribution.
If you have any questions regarding Network Identity Manager, please
feel free
to ask them.
Jeffrey Altman
Secure Endpoints Inc.
Richard Edelson wrote:
> I actually wanted to get rid of 2.6.5 this summer but I'm still holding=
off because of issues people are having with NIM. I heard NIM is going a=
way.....do you have info on upcoming release schedules?
>
> Richard
>
>
> -----Original Message-----
> From: Jeffrey Altman [mailto:jaltman@secure-endpoints.com]=20
> Sent: Monday, October 05, 2009 5:26 AM
> To: redelson@mit.edu
> Cc: akozlov@mit.edu; kerberos@mit.edu; windows7-release@mit.edu
> Subject: Re: Fwd:Windows 7 Kerb bug
>
> Richard Edelson wrote:
>> I have a separate installer the pismere build machine made of 2.6.5 wh=
ich works fine, it's on DFS:
>> \\win.mit.edu\dfs\msi\MIT Windows Utilities\KfW\kfw2005-12-20.msi
>
> While you may believe that kfw 2.6.5 works fine on Vista and Win7, it
> really doesn't. Microsoft Crash Reporting receives more than 6000
> crash reports a month from 2.6.5 leash32.exe, gssapi32.dll and
> krb5_32.dll. =20
>
>
--------------ms020105090803080102020104
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEAMF9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoX
DTEwMDgyODA0MDExOVowczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDZNscYIvF6xzGSAfa/QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6
y0zlFqSbiFwgNM8m69K6m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWL
kNdaXQKk6EZVW9pfV2A4Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iE
jVhVzPobuZzwD2tuepY/bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1Zp
Yh8Fx+9cqsG8O4nqo26SVfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQUFAAOBgQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOK
ifHDyLZQC4qSsCUfP7vdwAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/Z
cW3icObO9FIZCSmgFMt2Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAxcwggKAoAMCAQICEAMF
9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoXDTEwMDgyODA0MDExOVow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZNscYIvF6xzGSAfa/
QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6y0zlFqSbiFwgNM8m69K6
m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWLkNdaXQKk6EZVW9pfV2A4
Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iEjVhVzPobuZzwD2tuepY/
bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1ZpYh8Fx+9cqsG8O4nqo26S
VfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
gQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOKifHDyLZQC4qSsCUfP7vd
wAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/ZcW3icObO9FIZCSmgFMt2
Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNxMIID
bQIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
AwX1FMIY7PXnV9OkcuKH5zAJBgUrDgMCGgUAoIIB0DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wOTEwMDYxMDUxNDhaMCMGCSqGSIb3DQEJBDEWBBRJqE1h
t1kPyj7F9Cy8c7k+o66UmzBfBgkqhkiG9w0BCQ8xUjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN
AwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBAhADBfUUwhjs9edX06Ry4ofnMIGHBgsqhkiG9w0BCRACCzF4oHYw
YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x
LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhADBfUUwhjs
9edX06Ry4ofnMA0GCSqGSIb3DQEBAQUABIIBABqKO/wypoUahwGHeRx9CuP/+RQbKjV9Fk4H
ZAhf1svNoIlqY5F32CSuZb/VflyS3RkYg3rB91v4aVmb/qSxbcbYptw0VLGmwjhBSzY/M6tV
Jku+ndMD9yaSYlx1F37/oWvgSu/bd4mnEf/FfK5GRjnGzeXrUxL40pmY/L5NFlgMUDcxMBwc
iZWCk0cHuBypuzlzjGCdbmAQgdG4iCBXBm2cou5+6X+xF1h++fW5YDkTE0N9vqDImGK0lKfy
WhSesfkWxFHbc6GwWiQj7uSDVsDAZipMUr4SS8TecekqWUpQPNgO6jal2KKwiQ6xpDf8u+tf
rNFQNABJsrtzPuf+OzIAAAAAAAA=
--------------ms020105090803080102020104--
--===============0181759796==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0181759796==--
