Archive for February, 2012

Kerberos Safari Support (or lack thereof): CNAMEs + Negotiate Auth

Posted in default on February 26th, 2012 at 08:43:59

MetaCarta used Kerberos for single-sign-on support company wide.

Now, given that MetaCarta was a bunch of MIT hackers, this shouldn’t be particularly shocking. 🙂 It was generally a very nice thing to have — although it got me used to the idea that I *shouldn’t* type my password 20 times per day, a notion that Nokia has tried very hard to dissuade me from.

However, Kerberos support in Safari never worked for MetaCarta’s web services. It was never clear to me why, it was just clear that it didn’t work. Googling showed me many people saying it did work, and no people saying it didn’t, so I figured it was some quirk of my system and didn’t bother to fix it.

Now, at Nokia, I’m in the same boat: for services run by the Group Formerly Known as MetaCarta, we use Kerberos for everything. The difference is, falling back to Basic auth — which was fine in MetaCarta times — is a Very Expensive path to take in the new world; our auth services are slow Microsoft AD services hosted thousands of miles away on the other side of multiple high-latency firewalls, so when Kerberos doesn’t work — it hurts.

So, after getting fed up with this behavior yesterday, I started digging in. I didn’t make a lot of progress last night, but this morning, I stumbled across a post documenting that Safari does not work with hosts that are CNAMEs. With that one small pointer, I found other evidence of people running into this, and an option to reproduce the Safari-like behavior in chrome: “–disable-auth-negotiate-cname-lookup”. (The option documentation points to HttpAuthHandlerNegotiate::CreateSPN in http auth handler for more details.)

This bad behavior isn’t limited to Safari though: different versions of IE and the .Net framework also fail in similar ways at times. (The article in question says “Do not use CNAME dns records and non default web ports when using Kerberos!” — and given the multitude of clients and differing bugs in implementation, I’d say that seems like about the right approach.)

This seems to be a bug in Safari; it isn’t clear to me if it’s also a bug in WebKit. A brief (30 minutes) search through webkit and related postings seems to indicate that the higher level authentication handlers — like the one linked above in Chrome — are implemented at the application level, not the library level. (The library provides the hooks, but wouldn’t have anything more complex like Kerberos — which isn’t surprising.) I think that would mean this is a bug in the Safari implementation — the closed source side that I can’t touch — rather than in the open source WebKit base, so I can’t just ‘fix it myself’ (other than writing my own application layer — or more realistically, switching away from Safari to Chrome).

Anyway, if you’re having an issue with Negotiate auth not working in Safari, when you think it should — check if the server you’re trying to talk to is using a CNAME. If the answer is yes, it seems you’ve run into a known limitation: Safari Just Doesn’t Do That.

Words with Four vowels in a row

Posted in default on February 13th, 2012 at 23:54:16

A friend of mine posted on his LiveJournal:

There aren’t many English words with four vowels in a row.

Of course, geek that I am, I thought ‘hm, that sounds like a challenge.’

Using egrep and /usr/share/dict/words, I came up with the following:

In my /usr/share/dict/words, it looks like:
4: 159
5: 3 (cadiueio, Chaouia, Guauaenok)
6: 1 (euouae)

Excluding proper nouns (or at least, things capitalized in the first letter), we get 110, 1, 1. Of the four-vowel words, 7 have only 5 letters; another 6 have only 6 letters.

An arbitrary selection of 4-vowel words: homoeoarchy, obsequiousness, palaeoencephalon, queue, lieue, rhythmopoeia, exsanguious.

(Normally, I’d have done a random selection instead of an arbitrary selection, but `sort` on OS X doesn’t have the -R option, sadly, and I didn’t happen to have an ssh connection to elsewhere open at that particular second.)

This feels like the kind of question I’d love to use as a job interview question someday.

Working for the Man

Posted in Social on February 12th, 2012 at 18:25:39

Sometimes, I wish that I could talk more about work openly.

I do a fair amount of what I consider somewhat cool stuff at work — as is evidenced by my somewhat lower work in open source these days. (Since I find my work more interesting, I spend fewer of my off hours invested in ‘more interesting’ projects than I used to.) Of course, in reality, I expect that most people would still find what I do completely boring, but to me, it’s exciting.

In the past, when I worked for MetaCarta, there were only 20-30 people who would be in a position to be upset by what I would talk about — if I wanted to chat in public about something, I could usually chat with everyone who might care about it in an afternoon, and get a go/no-go from them.

But now, I work for a much larger company, and speaking out of turn could have much larger consequences. (Not the least is the fact that the company is publicly traded — so anything I say has the potential to actually shift a public stock price.) The group that I work in is significantly larger than MetaCarta’s core of engineers, and the number of levels between me and the top is comparatively larger.

So now, when I’m working on things that I consider cool, or want to share — I typically have to just keep my mouth shut.

Recently, one of my coworkers was trying to encourage someone from our team to present at the Berlin Buzzwords conference — talking about how good it would be to present some of what we do at the conference to get feedback from others working on the same problem. I couldn’t help but think, at the time: What exactly do you think that we could share at this conference?

Maybe it’s a cultural thing, but I feel a bit stymied by this regularly — even inside the organization, sharing data we’ve gathered becomes a political, rather than a technical, decision. Oversharing without consideration for how other teams will see the data is something that can have significant negative impacts on our interactions with other teams, because it’s very easy to step on toes.

I realize that this is all part of working in a large organization. Overall, there are a lot of positive benefits — in fact, much of the reason that I have more data that I’d like to share now is because we have a larger set of resources than we had available at MetaCarta, where many of the projects I worked on were just me hacking along on them alone. It doesn’t make it less frustrating, but it does swing both ways.

But sometimes I still just wish I could blab about what hack I spent my weekend on. Or open source another small project. And it’s a shame that I can’t.