Investigate if it is possible to design this so that we can have these on all installations, not just the once that actually have kerberos configured.
There are a few things to be aware of. First of all, on Linux, there are actually two different Kerberos implementations: 1) MIT 2) Heimdal As far as I can tell, MIT is the standard one in all common distributions. Heimdal seems to be available in some distros such as Mandriva and Ubuntu. Fortunately, the syntax of the commands as well as the config file seems to be mostly the same. When it comes to kinit, traditionally it has been impossible to transfer the password over stdin. See for example: http://www.digipedia.pl/usenet/thread/11861/2174/ "If you want something that will work with both Heimdal and MIT then you need to use a pty, like expect does." Also, the MIT developers apparently had a strong feeling about this: http://lists.openafs.org/pipermail/openafs-info/2003-August/010379.html BUT: We have had several customers using "tl-sso-password | kinit", so apparently this is no longer an issue!
(In reply to comment #3) > BUT: We have had several customers using "tl-sso-password | kinit", so > apparently this is no longer an issue! But only for MIT kinit, probably. With Heimdal, you probably have to use: tl-sso-password | kinit --password-file=STDIN The question is whether we care about Heimdal...
Fixed in 25607. Keeping open though; I'd like to do a basic test. Perhaps we should also let Saab/MinDef/somebody test.
Tested on SLED11, works.
I'm happy with the current implementation. Let's test the rest in the test cycle.
Doesn't work on Solaris 10: > Running /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh (Obtaining Kerberos ticket) > kinit is /bin/kinit > grep: illegal option -- q > Usage: grep -hblcnsviw pattern file . . .
(In reply to comment #8) > Doesn't work on Solaris 10: > > > Running /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh (Obtaining Kerberos ticket) > > kinit is /bin/kinit > > grep: illegal option -- q > > Usage: grep -hblcnsviw pattern file . . . Hopefully fixed in 25949.
Works on Solaris 10.
I have tested this on Ubuntu 12.04 LTS with server build 3701 and it works as expected, tested with mismatching passwords for realm and local authentication and nothing unexpected happend, just no ticket in cache and a good log message in xinit.log describing the issue.. All seems to work as expected, however and side note: The ticket is only initiated once per session startup, subsequential disconnected/connect to the session will not update the ticket and when tgt time outs, a new manual kinit needs to be issued by the user. I guess this the best we can do right now, but maybe if we had the Xvnc conntect/disconnect hooks the kinit could be run upon each connect to renew the tgt instead of just the session startup.
