Hi Ben, On Fri, 25 Apr 2014, Ben H wrote:
> That's interesting - thank you. I was able to actually validate what you > stated by installing MIT Kerberos on my Window system and then configuring > Putty's GSSAPI option to use the MIT GSSAPI libraries as preference. > My first attempt with kfw-4.0.1 was unsuccessful and I suspect it has to do > with how 4.01 integrates into the Windows LSA cache - I didn't seem able to > separate my Windows tickets from the MIT ones (init/destroy in one location > reflected in the other). I suspect I may have been able to find a way to > configure it, but 4.01 seems very turnkey and I couldn't quickly find some > way to customize this behavior. The intention behind the KfW 4.0 GUI is that people using it would only be using the API: credentials cache type, and would probably not be interacting with the native Windows LSA cache (the MSLSA: cache type as exposed by KfW). As such, the GUI does not offer a way to change what cache will be used for new tickets obtained using the GUI; they will be placed into the default cache. Since the API cache is collection-enabled, it is possibl to have credentials for multiple principals present, and they will be displayed in the ticket list. Since the LSA cache only supports having one identity at a time, if the default cache is MSLSA:, the new ticket will overwrite any preexisting ones. I'm not sure how your system ended up in a state where the MSLSA: cache was the default (there is a registry key to control this), but using the KfW-provided kinit.exe and klist.exe can help understand what's going on: klist AA will show what cache type is in use, and "kinit -c API: <principal>" will create an API: cache, viewable from the GUI, which can be made default therein. We have had a couple of reports that the lack of visibility into the default cache type can be confusing, and the upcoming 4.1 release should include some functionality to help in this situation. I haven't decided what exactly that will look like, though -- do you have a preference among (1) another checkbox/display column for the cache name, (2) an option for cache type in the "get ticket" window, (3) a warning when new tickets will us the LSA cache, or (4) something else? We really do appreciate getting feedback about the KfW 4.0 series. Thanks, Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
