This is the mail archive of the
mailing list for the Cygwin project.
Packaging Heimdal for Cygwin was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
- From: Jeffrey Altman <jaltman at openafs dot org>
- To: cygwin at cygwin dot com
- Date: Fri, 21 Jun 2013 13:35:30 -0400
- Subject: Packaging Heimdal for Cygwin was Re: Heimdal 1.5.2: "unknown mech-code 2529639054 for mech 1 3 6 1 4 1 311 2 2 10"
- References: <409A0E510096B044A0EE3778BB3F1F5C01379C903ECD at EXMAIL dot hrl dot com> <51C33835 dot 6000207 at openafs dot org> <409A0E510096B044A0EE3778BB3F1F5C01379C904127 at EXMAIL dot hrl dot com> <51C38880 dot 3090401 at openafs dot org> <20130621074355 dot GE1620 at calimero dot vinschen dot de> <51C45788 dot 7080908 at openafs dot org> <20130621140733 dot GF7362 at calimero dot vinschen dot de>
On 6/21/2013 10:07 AM, Corinna Vinschen wrote:
>> To the best of my knowledge the Heimdal developers have not been
>> contacted by the Cygwin Heimdal package maintainer.
> Well, if it builds...
We are discussing security software that must integrate with the native
environment. When MIT or Heimdal Kerberos is built for OSX it is built
with specific knowledge of the OSX keychain.
When XYZ Kerberos is built for Windows natively it has specific
knowledge of the Microsoft LSA Kerberos cache (readonly) and provides a
secure credential cache implementation into which credentials can be
stored and accessed via the MIT credential cache api. The goal of
Kerberos is single sign-on so if the user obtains Kerberos credentials
as part of the OS logon they should be accessible to the applications
that the user executes without requiring that the user enter their
On Linux the kernel's keyring support is often used to store Kerberos
credentials because it is more secure than plain files. I suspect that
functionality is not emulated by cygwin1.dll since it could not in fact
be secure unless it was backed by a kernel driver.
Since Cygwin Heimdal is built as Linux without any platform specific
credential cache support it will be restricted to using FILE: caches as
a ticket store. Microsoft Kerberos never uses FILE: based caches and
native MIT and Heimdal distributions use them only when explicitly
The preferred location of a krb5.conf file on Windows is
By reading the DOS formatted file stored at that location any configuration
applied to native Kerberos library distributions will also be used by
If Cygwin's /etc/krb5.conf is used the system administrator (often an
end user without knowledge that Kerberos is even being used) must ensure
that the two configuration files are synchronized to avoid inconsistent
I guess that cygwin1.dll could special case /etc/krb5.conf and have it
shadow %ALLUSERSPROFILE%\Kerberos\krb5.conf with appropriate end-of-line
> You can look it up in the source archive really simply:
> From what I gather from the heimdal.cygport file, there's nothing
> special in this build, except for four patch files which fix minor
> build problems and a signal handling bug.
Of the four patches included in the tar ball all but the
lib/roken/signal.c patch are specific to the Cygwin build and
installation. The lib/roken/signal.c patch could be submitted upstream
via a github.com pull request against https://github.com/heimdal/heimdal.
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple