Colors of Noise

krb5-auth-dialog: experimental dbus interface
13th June 2008

When you don't have a valid TGT thunderbird/icedove (, and evolution (2.22.2) just fail if your SMTP/IMAP/Caldav server only allows for GSSAPI authentication. While thunderbird tells you to turn off secure authentication - brilliant idea, evolution just says "error while refereshing folder" in the status bar - quiet user friendly.

Therefore I added a simple dbus interface to krb5-auth-dialog so that these applications can ask it to acquire the TGT for them. Thanks to the dbus glib bindings the code an application that want's a ticket needs to use is as simple as:

#include "krb5-auth-dialog-dbus-client-glue.h"
proxy = dbus_g_proxy_new_for_name_owner (connection,
org_gnome_KrbAuthProvider_acquire_tgt(proxy, "me@EXAMPLE.COM", &success, &error);
if (success)
     printf("Acquired TGT for %s\n", principal);

Currently you can only request a TGT for a principal krbt-auth-dialog knows about (either your username in the default realm or the one you set via gconf) since we don't do principal switching within krb5-auth-dialog yet. But this should do the trick already for most usage cases. A full example application is in helpers/krb5-auth-helper.c. This can readily be used in shell scripts:

cat <<EOF >evo-krb5
#!/bin/sh -e
krb5-auth-helper me@EXAMPLE.COM && evolution

Since the dialog only pops up if you don't have a valid TGT already the password dialog will only get into your way when needed. It would be nicer if those applications would use this interface directly now that it's there.

As usual you can clone from:

git clone

Make sure you build the dbus branch: git checkout --track -b dbus origin/dbus mkdir build && cd build && ../ && make && sudo make install

Tags: single-sign-on.

RSS feed