From: | petesea@bigfoot.com |
Date: | Sat, 26 Aug 2006 10:49:10 -0700 (Pacific Daylight Time) |
Subject: | KfW 3.1 beta and expired passwords |
To: | kfw-bugs@mit.edu |
I've been testing out KfW 3.1 beta and have found a few bugs related to
expired passwords. I actually found some of these bugs in KfW 3.0, but
never quite got around to reporting them. Hopefully they can be fixed
before 3.1 is released.
1. If the passwd has expired, the "Obtain new credentials" dialog
SOMETIMES (see bug #2) shows this:
Krb5 : The password for the selected Identity has expired.
Click here to change the password
Unfortunately the "here" link takes you to the "Kerberos 5" options
dialog... as if you'd pressed the "Kerberos 5" button at the bottom of the
"Obtain new credentials" dialog. Instead it should take you to the
"Change password" dialog. At least that's what makes sense to me.
------------------------------------------------------------------
2. As I said above, the "Click here to change the password" link is only
displayed SOMETIMES. I'm not sure under which conditions it's displayed,
but it SEEMS like maybe only if the principal's password is expired when
the registry entries for the principals are first created... in other
words only the first time after KfW is installed. If the password is
changed and then expired again, the "Click here to change the password"
link will no longer be displayed.
Just noticed something... the dialog that displays the "Click here..."
message is titled "Obtain new credentials" and does NOT have a password
field.
The dialog that does NOT display the "Click here..." message is titled
"[PRINCIPAL] - New credentials" and DOES have a password field.
If the passwd is expired when KfW is first installed, then you always get
the "Obtain new credentials" dialog no matter how it's started (ie.
triggered by some other app, via systray, via NIM Credential menu).
Upon further investigation, I've found that the following registry entry
determines which "New credentials" dialog is displayed.
HKCU\Software\MIT\NetIDMgr\KCDB\Identity\(PRINCIPAL)\Krb5Cred\PromptCache\0\Prompt
If this registry entry does NOT exist, then the "Obtain new credentials"
dialog (with "Change password link" and WITHOUT password field) is
displayed.
If this registry entry DOES exist, then the "(PRINCIPAL) - New
credentials" dialog (WITHOUT "Change password" link and WITH password
field) is displayed.
Again, what I would like to see is the "Change password" link regardless
of when or how an expired password is detected. Of course this assumes
the link itself goes to the correct "Change password" dialog (Bug #1).
------------------------------------------------------------------
3. After opening the Network Identity Manager if you go to
"Credential->Change password..." WITHOUT first selecting a credential
(even if there's only one) the "Change password..." menu item will be
grayed out. Since the "Change password" dialog contains fields for
"Username" and "Realm" why does an Identity need to be selected?
This may also be related to the "first time after KfW is installed" and/or
the "Prompt" registry entry.
------------------------------------------------------------------
4. While trying to change my password I got "Unknown error code" for
several attempts. Sometimes I got a Windows dialog that says
"netmgrid.exe" has generated errors and will be closed. After several
tries I finally realized kadmind wasn't running on the server. Shouldn't
KfW get a timeout? And couldn't it provide a better message such as
"Change password server is not responding"... or "Administrative server is
not responding".
expired passwords. I actually found some of these bugs in KfW 3.0, but
never quite got around to reporting them. Hopefully they can be fixed
before 3.1 is released.
1. If the passwd has expired, the "Obtain new credentials" dialog
SOMETIMES (see bug #2) shows this:
Krb5 : The password for the selected Identity has expired.
Click here to change the password
Unfortunately the "here" link takes you to the "Kerberos 5" options
dialog... as if you'd pressed the "Kerberos 5" button at the bottom of the
"Obtain new credentials" dialog. Instead it should take you to the
"Change password" dialog. At least that's what makes sense to me.
------------------------------------------------------------------
2. As I said above, the "Click here to change the password" link is only
displayed SOMETIMES. I'm not sure under which conditions it's displayed,
but it SEEMS like maybe only if the principal's password is expired when
the registry entries for the principals are first created... in other
words only the first time after KfW is installed. If the password is
changed and then expired again, the "Click here to change the password"
link will no longer be displayed.
Just noticed something... the dialog that displays the "Click here..."
message is titled "Obtain new credentials" and does NOT have a password
field.
The dialog that does NOT display the "Click here..." message is titled
"[PRINCIPAL] - New credentials" and DOES have a password field.
If the passwd is expired when KfW is first installed, then you always get
the "Obtain new credentials" dialog no matter how it's started (ie.
triggered by some other app, via systray, via NIM Credential menu).
Upon further investigation, I've found that the following registry entry
determines which "New credentials" dialog is displayed.
HKCU\Software\MIT\NetIDMgr\KCDB\Identity\(PRINCIPAL)\Krb5Cred\PromptCache\0\Prompt
If this registry entry does NOT exist, then the "Obtain new credentials"
dialog (with "Change password link" and WITHOUT password field) is
displayed.
If this registry entry DOES exist, then the "(PRINCIPAL) - New
credentials" dialog (WITHOUT "Change password" link and WITH password
field) is displayed.
Again, what I would like to see is the "Change password" link regardless
of when or how an expired password is detected. Of course this assumes
the link itself goes to the correct "Change password" dialog (Bug #1).
------------------------------------------------------------------
3. After opening the Network Identity Manager if you go to
"Credential->Change password..." WITHOUT first selecting a credential
(even if there's only one) the "Change password..." menu item will be
grayed out. Since the "Change password" dialog contains fields for
"Username" and "Realm" why does an Identity need to be selected?
This may also be related to the "first time after KfW is installed" and/or
the "Prompt" registry entry.
------------------------------------------------------------------
4. While trying to change my password I got "Unknown error code" for
several attempts. Sometimes I got a Windows dialog that says
"netmgrid.exe" has generated errors and will be closed. After several
tries I finally realized kadmind wasn't running on the server. Shouldn't
KfW get a timeout? And couldn't it provide a better message such as
"Change password server is not responding"... or "Administrative server is
not responding".