Bugzilla – Bug 4301
Automatic/easier integration of ThinLinc in Kerberos environment
Last modified: 2012-11-28 12:29:07
You need to
before you can comment on or make changes to this bug.
Investigate if it is possible to design this so that we can have these on all
installations, not just the once that actually have kerberos configured.
There are a few things to be aware of. First of all, on Linux, there are
actually two different Kerberos implementations:
As far as I can tell, MIT is the standard one in all common distributions.
Heimdal seems to be available in some distros such as Mandriva and Ubuntu.
Fortunately, the syntax of the commands as well as the config file seems to be
mostly the same.
When it comes to kinit, traditionally it has been impossible to transfer the
password over stdin. See for example:
"If you want something that will work with both Heimdal and MIT then
you need to use a pty, like expect does."
Also, the MIT developers apparently had a strong feeling about this:
BUT: We have had several customers using "tl-sso-password | kinit", so
apparently this is no longer an issue!
(In reply to comment #3)
> BUT: We have had several customers using "tl-sso-password | kinit", so
> apparently this is no longer an issue!
But only for MIT kinit, probably. With Heimdal, you probably have to use:
tl-sso-password | kinit --password-file=STDIN
The question is whether we care about Heimdal...
Fixed in 25607. Keeping open though; I'd like to do a basic test. Perhaps we
should also let Saab/MinDef/somebody test.
Tested on SLED11, works.
I'm happy with the current implementation. Let's test the rest in the test
Doesn't work on Solaris 10:
> Running /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh (Obtaining Kerberos ticket)
> kinit is /bin/kinit
> grep: illegal option -- q
> Usage: grep -hblcnsviw pattern file . . .
(In reply to comment #8)
> Doesn't work on Solaris 10:
> > Running /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh (Obtaining Kerberos ticket)
> > kinit is /bin/kinit
> > grep: illegal option -- q
> > Usage: grep -hblcnsviw pattern file . . .
Hopefully fixed in 25949.
Works on Solaris 10.
I have tested this on Ubuntu 12.04 LTS with server build 3701 and it works
as expected, tested with mismatching passwords for realm and local
authentication and nothing unexpected happend, just no ticket in cache and
a good log message in xinit.log describing the issue..
All seems to work as expected, however and side note:
The ticket is only initiated once per session startup, subsequential
disconnected/connect to the session will not update the ticket and
when tgt time outs, a new manual kinit needs to be issued by the user.
I guess this the best we can do right now, but maybe if we had the
Xvnc conntect/disconnect hooks the kinit could be run upon each connect
to renew the tgt instead of just the session startup.