Re: Upcoming KfW 3.x ??
Jeff Blaine wrote: > On 1/6/2010 7:33 PM, Jeffrey Altman wrote: >> On 1/6/2010 2:32 PM, Jeff Blaine wrote: >>> I seem to have all sorts of weird problems with KfW. >>> >>> For instance, I just clicked 'Cancel' in the 'Obtain >>> new credentials' dialog for a certain realm and the >>> dialog greyed out, won't go away, and won't close >>> via [X]. >>> >>> Other times I get DNS failures from NIM when nslookup >>> in a cmd.exe window resolves the KDCs fine. >>> >>> Overall, I have zero problems with other network apps >>> on this box. >> You are welcome to try a beta of Network Identity Manager v2 if you >> would like. >> (Send private mail to be added to the testers list.) However, if the >> problem is >> the resolution of DNS SRV records (which some DNS proxies do not respond to) >> then the problem will not be resolved by the update. > > Jeffrey, > > I ended up solving my issues by forceably finding and removing > all traces of anything related to KfW after "uninstall with > no config saving" -- and reinstalling. > > [ I consider it a bug that 'uninstall' does not clean up the ] > [ registry when I've said not to keep my "configuration" info. ] > File a bug report against kfw. > I don't know what the problem was. Oh well. > > I'd love to be a tester, but unfortunately I need to run the > version our users have in order to troubleshoot things. > Well you should be testing snyway before you release to users to ensure that you don't have any surprises or changes in the way things work. > Aside, is there a reason for the 2-step credential obtaining > process where the account is 'checked' then one is given a > password text entry field? It's clunky to interact with. > > Another aside, what release will have krb4 cred obtaining > disabled by default? > >> What I would do is use "Network Monitor v3.2" from Microsoft Connect to >> examine the network traffic and see what requests are failing to receive >> responses. > > FWIW 3.3 is out > > Looks like a nice tool. I may ditch put Ethereal in the attic. If you are still using Ethereal the you are using a very old version. The name has been changed and it is now called wireshark and is available for windows. Danny Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
Jeff Blaine wrote: > On 1/6/2010 7:33 PM, Jeffrey Altman wrote: >> On 1/6/2010 2:32 PM, Jeff Blaine wrote: >>> I seem to have all sorts of weird problems with KfW. >>> >>> For instance, I just clicked 'Cancel' in the 'Obtain >>> new credentials' dialog for a certain realm and the >>> dialog greyed out, won't go away, and won't close >>> via [X]. >>> >>> Other times I get DNS failures from NIM when nslookup >>> in a cmd.exe window resolves the KDCs fine. >>> >>> Overall, I have zero problems with other network apps >>> on this box. >> You are welcome to try a beta of Network Identity Manager v2 if you >> would like. >> (Send private mail to be added to the testers list.) However, if the >> problem is >> the resolution of DNS SRV records (which some DNS proxies do not respond to) >> then the problem will not be resolved by the update. > > Jeffrey, > > I ended up solving my issues by forceably finding and removing > all traces of anything related to KfW after "uninstall with > no config saving" -- and reinstalling. > > [ I consider it a bug that 'uninstall' does not clean up the ] > [ registry when I've said not to keep my "configuration" info. ] > File a bug report against kfw. > I don't know what the problem was. Oh well. > > I'd love to be a tester, but unfortunately I need to run the > version our users have in order to troubleshoot things. > Well you should be testing snyway before you release to users to ensure that you don't have any surprises or changes in the way things work. > Aside, is there a reason for the 2-step credential obtaining > process where the account is 'checked' then one is given a > password text entry field? It's clunky to interact with. > > Another aside, what release will have krb4 cred obtaining > disabled by default? > >> What I would do is use "Network Monitor v3.2" from Microsoft Connect to >> examine the network traffic and see what requests are failing to receive >> responses. > > FWIW 3.3 is out > > Looks like a nice tool. I may ditch put Ethereal in the attic. If you are still using Ethereal the you are using a very old version. The name has been changed and it is now called wireshark and is available for windows. Danny -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
> MIT KFW 3.2.3 Alpha (which I can no longer find on the MIT web site) roughly > equates to the distribution Secure Endpoints has been shipping to it > clients. FWIW http://web.mit.edu/kerberos/dist/testing.html#kfw-3.2.3 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
On 1/7/2010 2:38 PM, Jeff Blaine wrote: >>> I'd love to be a tester, but unfortunately I need to run the >>> version our users have in order to troubleshoot things. >> Without being a tester, you won't be able to ensure that the next >> release works >> the way you want it to in your environment. Unless you are providing >> funding or >> some in-kind assistance in the development, why should I spend my time >> answering >> your e-mails when you have trouble? > > I guess you shouldn't (?) > > Perhaps you could explain Secure Endpoints' role in KFW > development? Last I heard from a link on your website, > MIT was hiring a full-time developer for KFW. Did that > not happen? Secure Endpoints does not have a role with regards to MIT's distribution at the present time. We support a private distribution of KFW for our support customers that has provided 64-bit and Vista/2008 (and now Win7/2008-R2) support for some time. Patches that we have implemented have been given to MIT. However, we are not involved in their release process. MIT KFW 3.2.3 Alpha (which I can no longer find on the MIT web site) roughly equates to the distribution Secure Endpoints has been shipping to it clients. > If I install NIMv2 and report in detail on what I find in > our environment, does that give me credits to use? It would be a start. Thank you for the beer money as well. >>> Another aside, what release will have krb4 cred obtaining >>> disabled by default? >> >> Any release you want. As I have said before, you can use a transform to >> configure >> the MSI installer to disable Kerberos v4. You can do this today > > I am asking when the decision might be made to turn it off by > default in the master distribution, of course. I already saw > and read your previous response. 64-bit distributions of MIT KFW do not include Kerberos v4 at all. At this point if I were to issue a significant update (for example a bundle of Network Identity Manager v2 and Kerberos v5 1.8) I would leave it out on 32-bit platforms as well. Kerberos v4 support should continue to be available as a separate distribution for those sites that require it. However, to my knowledge neither MIT Kerberos 1.7 nor the 1.8 which was announced today builds on Windows. The annual cost of developing MIT Kerberos for Windows and Network Identity Manager is roughly $175,000. The vast majority of the work that Secure Endpoints has done on NIM over the last two years has been unfunded. I suspect the reason that the MIT Kerberos Consortium has not focused significant energy on the Windows platform is because their commercial board members (Microsoft, Red Hat, and Sun Microsystems) are not interested in financing the development of the MIT APIs on the Windows platform. Microsoft has a strong interest in seeing applications use the Win32 API (SSPI) and the Unix/Linux vendors might interpret funding Windows development as counter to their interests. I happen to believe that ensuring the viability of the GSS and MIT Kerberos APIs on the Windows platform is absolutely in the best interest of the Unix/Linux vendors because it ensures that application developers will take the cross platform approach instead of locking themselves onto the Windows platform by using the SSPI exclusively. Failure to provide support for new functionality on the Windows platform makes it much more difficult to adopt that functionality on Unix/Linux. Security solution availability needs to be ubiquitous. Otherwise, the solutions cannot be deployed. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
>> I'd love to be a tester, but unfortunately I need to run the >> version our users have in order to troubleshoot things. > Without being a tester, you won't be able to ensure that the next > release works > the way you want it to in your environment. Unless you are providing > funding or > some in-kind assistance in the development, why should I spend my time > answering > your e-mails when you have trouble? I guess you shouldn't (?) Perhaps you could explain Secure Endpoints' role in KFW development? Last I heard from a link on your website, MIT was hiring a full-time developer for KFW. Did that not happen? If I install NIMv2 and report in detail on what I find in our environment, does that give me credits to use? >> Aside, is there a reason for the 2-step credential obtaining >> process where the account is 'checked' then one is given a >> password text entry field? It's clunky to interact with. > In NIM v1.x the account's existence is verified before prompting for a > password in > order to protect against users that typo the username or realm and > created an > identity in the database that in fact does not exist. > > In NIM v2, identities are created by a wizard that walks the user > through the > configuration of all applicable credential providers. After the > identity is created > the user simply selects one of the pre-configured ones instead of manually > typing the username and realm each time. This change is both to > improve usability > but also to permit NIM v2 to be used with X.509 and Keystore identities in > addition to Kerberos v5. Great. >> Another aside, what release will have krb4 cred obtaining >> disabled by default? > > Any release you want. As I have said before, you can use a transform to > configure > the MSI installer to disable Kerberos v4. You can do this today I am asking when the decision might be made to turn it off by default in the master distribution, of course. I already saw and read your previous response. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
On 1/7/2010 11:48 AM, Jeff Blaine wrote: > Jeffrey, > > I ended up solving my issues by forceably finding and removing > all traces of anything related to KfW after "uninstall with > no config saving" -- and reinstalling. > > [ I consider it a bug that 'uninstall' does not clean up the ] > [ registry when I've said not to keep my "configuration" info. ] File a bug with MIT. > > I don't know what the problem was. Oh well. Depending on which keys you are talking about, the per user configuration data is never removed by an uninstaller since the uninstaller doesn't have access to the per user data. Not all users may be logged into the machine. > > I'd love to be a tester, but unfortunately I need to run the > version our users have in order to troubleshoot things. Without being a tester, you won't be able to ensure that the next release works the way you want it to in your environment. Unless you are providing funding or some in-kind assistance in the development, why should I spend my time answering your e-mails when you have trouble? > > Aside, is there a reason for the 2-step credential obtaining > process where the account is 'checked' then one is given a > password text entry field? It's clunky to interact with. In NIM v1.x the account's existence is verified before prompting for a password in order to protect against users that typo the username or realm and created an identity in the database that in fact does not exist. In NIM v2, identities are created by a wizard that walks the user through the configuration of all applicable credential providers. After the identity is created the user simply selects one of the pre-configured ones instead of manually typing the username and realm each time. This change is both to improve usability but also to permit NIM v2 to be used with X.509 and Keystore identities in addition to Kerberos v5. > > Another aside, what release will have krb4 cred obtaining > disabled by default? Any release you want. As I have said before, you can use a transform to configure the MSI installer to disable Kerberos v4. You can do this today. >> What I would do is use "Network Monitor v3.2" from Microsoft Connect to >> examine the network traffic and see what requests are failing to receive >> responses. > > FWIW 3.3 is out > > Looks like a nice tool. I may ditch put Ethereal in the attic. They each have their own strengths and weaknesses. Ethereal can be used to decrypt encrypted traffic and has AFS support.NetMon does a much better job of analyzing and displaying conversations. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
On 1/6/2010 7:33 PM, Jeffrey Altman wrote: > On 1/6/2010 2:32 PM, Jeff Blaine wrote: >> I seem to have all sorts of weird problems with KfW. >> >> For instance, I just clicked 'Cancel' in the 'Obtain >> new credentials' dialog for a certain realm and the >> dialog greyed out, won't go away, and won't close >> via [X]. >> >> Other times I get DNS failures from NIM when nslookup >> in a cmd.exe window resolves the KDCs fine. >> >> Overall, I have zero problems with other network apps >> on this box. > > You are welcome to try a beta of Network Identity Manager v2 if you > would like. > (Send private mail to be added to the testers list.) However, if the > problem is > the resolution of DNS SRV records (which some DNS proxies do not respond to) > then the problem will not be resolved by the update. Jeffrey, I ended up solving my issues by forceably finding and removing all traces of anything related to KfW after "uninstall with no config saving" -- and reinstalling. [ I consider it a bug that 'uninstall' does not clean up the ] [ registry when I've said not to keep my "configuration" info. ] I don't know what the problem was. Oh well. I'd love to be a tester, but unfortunately I need to run the version our users have in order to troubleshoot things. Aside, is there a reason for the 2-step credential obtaining process where the account is 'checked' then one is given a password text entry field? It's clunky to interact with. Another aside, what release will have krb4 cred obtaining disabled by default? > What I would do is use "Network Monitor v3.2" from Microsoft Connect to > examine the network traffic and see what requests are failing to receive > responses. FWIW 3.3 is out Looks like a nice tool. I may ditch put Ethereal in the attic. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Upcoming KfW 3.x ??
On 1/6/2010 2:32 PM, Jeff Blaine wrote: > I seem to have all sorts of weird problems with KfW. > > For instance, I just clicked 'Cancel' in the 'Obtain > new credentials' dialog for a certain realm and the > dialog greyed out, won't go away, and won't close > via [X]. > > Other times I get DNS failures from NIM when nslookup > in a cmd.exe window resolves the KDCs fine. > > Overall, I have zero problems with other network apps > on this box. You are welcome to try a beta of Network Identity Manager v2 if you would like. (Send private mail to be added to the testers list.) However, if the problem is the resolution of DNS SRV records (which some DNS proxies do not respond to) then the problem will not be resolved by the update. What I would do is use "Network Monitor v3.2" from Microsoft Connect to examine the network traffic and see what requests are failing to receive responses. The krb5 library in KFW has no trace logging that would permit such a problem to be identified from within the library. Jeffrey Altman Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Upcoming KfW 3.x ??
I seem to have all sorts of weird problems with KfW. For instance, I just clicked 'Cancel' in the 'Obtain new credentials' dialog for a certain realm and the dialog greyed out, won't go away, and won't close via [X]. Other times I get DNS failures from NIM when nslookup in a cmd.exe window resolves the KDCs fine. Overall, I have zero problems with other network apps on this box. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos