Posts for February 2010

2010-02-05: Resurfacing

Got it!

Two dogs coming out of the surf of the beach at Lincoln City, Oregon.

I feel quite a bit like those dogs. It's been around a couple of weeks since I've written anything here, mostly because I went heads-down on my big work project and hit a wonderful rhythm with it. I worked over 24 hours last week and 18 hours this week, made a huge amount of progress, and feel much more on top of everything. There should be a new releases of krb5-sync and krb5-strength coming soon that support Heimdal, along with a new release of rra-c-util, and then shortly thereafter there will be a new release of wallet.

This has been hugely energizing. At the start, I was focusing only on Heimdal work and our upcoming upgrade, submitting patches back to Heimdal, doing local packaging, and working on krb5-sync. But it's gotten me back into the rhythm of programming, and now I've started to do the needed work on pam-afs-session for the next release.

I'm both surprised and curious about how this has gone, and am now wondering to what extent I can keep control over this pattern and reproduce it. I've moved away from the strict schedule that I kept through most of January, but I don't think that was getting in the way of this sense of flow. Rather, I think it's what enabled it. I cleared the decks, got into a rhythm, and found I was able to concentrate. However, I have dropped the normal variety of things that I try to do daily and spent more time on doing just one thing, which I think is critical. I find it difficult to do that, and often hit this feeling that I'm letting things drop, so that's still something I need to work on.

Other than work and coding, it's been a fairly good past two weeks. I fought back a cold early this week, have played some video games, and have been reading regularly (if not writing reviews regularly). I even did a run of reviews at the end of January to get four done for the month. I've finished another three books (and a magazine) that are waiting for me to find time to think about the reviews.

I have one more regular week this month, and then I'm heading up to Canada for a couple of weeks to work some from there and watch the Olympics with much better coverage than we get in the US. The travel is going to be annoying, since I have to get to the airport at some ridiculous hour of the morning and deal with taking a shuttle, but once I get up there, that should be a lot of fun and quite relaxing. There are several unknowns about it (I'm staying in a different room in the place I normally stay to save some money), and I'm not looking forward to the travel, but I'm looking forward to the rest of it.

The less said about the news and the general state of US politics, the better. I'm working on ignoring it.

2010-02-15: rra-c-util 2.3

This release of my collection of C portability and utility functions adds a portability layer for the Kerberos API. It provides something close to the Heimdal Kerberos API on either MIT Kerberos or Heimdal and adjusts for functions missing in some older versions and other implementations. It also imports the die_krb5 and warn_krb5 functions used in kstart.

Also in this release is the first round of inclusion of portability functions for PAM. Included so far are replacement implementations of pam_syslog and pam_vsyslog and a wrapper around the header files.

Finally, this release cleans up some left-over problems from the split of util/util.h in the previous release and disables the xmalloc test except for maintainers.

I was planning on adding more PAM utility functions in this release, but ran out of time. Hopefully the next release will also include some of the common utility functions and abstractions for both pam-krb5 and pam-afs-session.

You can get the latest version from the rra-c-util distribution page.

2010-02-15: krb5-sync 2.0

krb5-sync is the package that we use at Stanford for synchronizing user passwords and account status between our primary Kerberos realm and Active Directory. This new release adds support for Heimdal as well as MIT Kerberos and includes a patch for Heimdal's libkadm5srv, although the implementation will change in future releases.

This release also drops support for synchronizing passwords with an AFS kaserver. We haven't run a kaserver for quite a while, I no longer have any way to test the support, and several aspects of it were fairly Stanford-specific.

This release is long-overdue, so it also includes several other accumulated fixes: a new option to specify the Active Directory base DN, filtering out more noise in krb5-sync-backend's silent mode, and better error reporting and Kerberos portability.

You can get the latest release from the krb5-sync distribution page.

2010-02-16: krb5-strength 1.0

The primary change in this version, and the reason for the 1.0 version number, is that I added support for Heimdal. The package provides its CrackLib-based password checks both as an external password quality check program and a plugin module for libkadm5srv using the Heimdal APIs.

It continues to provide the MIT Kerberos patch and plugin, but unfortunately still just for very old versions. This release does include some work on a new plugin API from the plugin side, and I was hoping to finish and propose a patch for the current version of MIT Kerberos for possible inclusion, but I ran out of time given other project priorities. Hopefully I'll get a chance to finish that at some point.

There are extensive changes to the build system and portability layer in this release and there's a new test suite, although none of that should change the functionality.

You can get the latest version from the krb5-strength distribution page.

2010-02-17: kadmin-remctl 3.0

This release incorporates work by Jon Robertson to add a version of kadmin-backend that can manipulate Heimdal databases instead of MIT Kerberos databases (using the Heimdal::Kadm5 Perl module). This is a temporary measure (with a lot of code duplication) until the backend can be rewritten with a cleaner remctl API and proper Perl modules. The Heimdal version of kadmin-backend uses the Heimdal external program API for password quality checks, since Heimdal bypasses quality checks for changes done via kadmin.

Also in this release is the ability to configure an external program to determine whether a principal is locked and, if so, reject any enable commands for that principal. It also allows - in principal names in the examine function and significantly improves the error reporting in ksetpass and passwd_change.

You can get the latest release from the kadmin-remctl distribution page.

2010-02-17: podlators 2.3.1

This release is only an internal bookkeeping release, fixing two missed module $VERSION updates from the 2.3.0 release. It's sole goal is to ensure that the $VERSION increases for all modified modules between Perl core updates.

You can get the latest release from the podlators distribution page.

2010-02-21: wallet 0.10

This is the first wallet release in quite a while. I've been frustrated by not having time to work on it, but thankfully a Kerberos upgrade project gave me an opportunity. This release also includes a lot of work by Jon Robertson, who is starting to do wallet server development.

The primary change in this release is support for Heimdal as a Kerberos KDC for the keytab backend. This includes abstraction of the Kerbeors kadmin interface used by wallet to make it easier to add additional Kerberos kadmin protocols. For Heimdal, the Heimdal::Kadm5 module (available from CPAN) is required.

This release also drops all support for synchronization with an AFS kaserver, and drops the kasetkey binary used to do that synchronization. The wallet client still supports creating a srvtab, but it's now done based entirely on the keytab, preserves the kvno, and doesn't make any changes on the server side.

Also in this release is support for storing file objects containing nul characters (provided that you have remctl 2.14 or later), separation of wallet reporting into a new wallet-report frontend and Wallet::Report Perl module, addition of lots of new reports, a fix for storing object data starting with a dash, a fix to suppress logging of wallet store data, and reporting of ACL names in object history.

You can get the latest release from the wallet distribution page.

2010-02-27: AFS DNS SRV draft approved

The Internet-Draft that I've been working on to document how to use DNS SRV records to locate AFS vlservers and ptservers, replacing the obsolete AFSDB DNS record documented in RFC 1183, has been approved for publication as a proposed standard. Most of the changes required were minor rephrasings and some tweaks to fit the layout and presentation style that should be used for RFCs. This is the second RFC that I'll have published as proposed standard, and the first that I wrote almost all the text for. (The other one, RFC 5537, was based on extensive previous work by Charles Lindsey and others.)

The next step is the RFC Editor queue, which will probably involve some additional grammar changes and rewordings and a few more bits of back and forth, but all the procedural hurdles have been cleared.

This document obsoletes the AFSDB record portion of RFC 1183 for AFS, although does include information about when and how to publish those records for backward compatibility for older versions of AFS. OpenAFS will use DNS SRV records as of 1.6.

You can get the version of the draft that's going to the RFC Editor from my AFS notes page, and you can see a complete history of the document on the IETF tools page.

2010-02-27: A note on book reviews

For those who follow my journal through Planet Debian, you don't normally see my book reviews since they're quite long (and I don't like cuts in feeds) and usually not very relevant to Debian. I added my Coders at Work review to the Planet Debian feed since it did seem relevant, and I plan on adding further reviews of technical books to that feed. There probably won't be more than a handful a year.

Most of my journal isn't in the Planet Debian feed, since I tend to post largish photographs and a lot of software release announcements that aren't directly Debian-relevant. If you want to follow all of my posts, or my book reviews in general (mostly fiction, mostly SF), see the various other RSS feeds available from my main journal page.

Last modified and spun 2017-03-25