www.cendio.com
Bug 4301 - Automatic/easier integration of ThinLinc in Kerberos environment
: Automatic/easier integration of ThinLinc in Kerberos environment
Status: CLOSED FIXED
: ThinLinc
Other
: 3.2.0
: PC Unknown
: P2 Normal
: 4.0.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2012-05-22 08:40 by
Modified: 2012-11-28 12:29 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


------- Comment #2 From cendio 2012-06-28 10:39:17 -------
Investigate if it is possible to design this so that we can have these on all
installations, not just the once that actually have kerberos configured.
------- Comment #3 From cendio 2012-08-13 11:30:49 -------
There are a few things to be aware of. First of all, on Linux, there are
actually two different Kerberos implementations:

1) MIT
2) Heimdal

As far as I can tell, MIT is the standard one in all common distributions.
Heimdal seems to be available in some distros such as Mandriva and Ubuntu.
Fortunately, the syntax of the commands as well as the config file seems to be
mostly the same. 

When it comes to kinit, traditionally it has been impossible to transfer the
password over stdin. See for example:

http://www.digipedia.pl/usenet/thread/11861/2174/

"If you want something that will work with both Heimdal and MIT then
you need to use a pty, like expect does."

Also, the MIT developers apparently had a strong feeling about this:

http://lists.openafs.org/pipermail/openafs-info/2003-August/010379.html

BUT: We have had several customers using "tl-sso-password | kinit", so
apparently this is no longer an issue!
------- Comment #4 From cendio 2012-08-13 11:33:41 -------
(In reply to comment #3)

> BUT: We have had several customers using "tl-sso-password | kinit", so
> apparently this is no longer an issue!

But only for MIT kinit, probably. With Heimdal, you probably have to use:

tl-sso-password | kinit --password-file=STDIN


The question is whether we care about Heimdal...
------- Comment #5 From cendio 2012-08-14 09:00:41 -------
Fixed in 25607. Keeping open though; I'd like to do a basic test. Perhaps we
should also let Saab/MinDef/somebody test.
------- Comment #6 From cendio 2012-08-24 13:24:30 -------
Tested on SLED11, works.
------- Comment #7 From cendio 2012-08-24 13:27:52 -------
I'm happy with the current implementation. Let's test the rest in the test
cycle.
------- Comment #8 From cendio 2012-10-03 13:00:18 -------
Doesn't work on Solaris 10:

> Running /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh (Obtaining Kerberos ticket)
> kinit is /bin/kinit
> grep: illegal option -- q
> Usage: grep -hblcnsviw pattern file . . .
------- Comment #9 From cendio 2012-10-03 13:47:27 -------
(In reply to comment #8)
> Doesn't work on Solaris 10:
> 
> > Running /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh (Obtaining Kerberos ticket)
> > kinit is /bin/kinit
> > grep: illegal option -- q
> > Usage: grep -hblcnsviw pattern file . . .

Hopefully fixed in 25949.
------- Comment #10 From cendio 2012-10-18 13:57:17 -------
Works on Solaris 10.
------- Comment #11 From cendio 2012-10-29 14:07:37 -------
I have tested this on Ubuntu 12.04 LTS with server build 3701 and it works
as expected, tested with mismatching passwords for realm and local 
authentication and nothing unexpected happend, just no ticket in cache and
a good log message in xinit.log describing the issue..

All seems to work as expected, however and side note:

The ticket is only initiated once per session startup, subsequential
disconnected/connect to the session will not update the ticket and
when tgt time outs, a new manual kinit needs to be issued by the user.
I guess this the best we can do right now, but maybe if we had the
Xvnc conntect/disconnect hooks the kinit could be run upon each connect
to renew the tgt instead of just the session startup.