[krbdev.mit.edu #2425] Multiple bugs and a few feature requests

Jeffrey Altman jaltman at columbia.edu
Tue Mar 23 11:19:16 EST 2004 

Matt Lytle wrote:

>> Matt Lytle via RT wrote:
>
>
>>> Bug3:  When obtaining tickets via ms2mit.exe and when they expire you
>>> receive an error message that says:  Ticket expired (Kerberos error 32)
>>> krb5_get_renewed_creds() failed. However, clicking ok, and then using
>>> the  renew button in leash it works.
>>>
>> Confirm that you have the correct configuration data
>> for your Windows Domain and KDC within the KRB5.INI
>> file.  Leash possesses renewable tickets in its cache
>> but is unable to renew the tickets.  Most likely it
>> cannot contact your KDC.
>> Another possibility is that your KDC is refusing to
>> renew the tickets.  In which case, Windows simply uses
>> the cached username and password to perform a new TGS
>> request which cannot be done by Leash directly.
>>
>
> So would requesting non-renewable tickets solve this problem?  My 
> krb5.ini is correct.  Although it seems that all tickets imported with 
> ms2mit have the R flag.  How do I avoid that?
>
You should debug why renewable tickets are failing to be renewed.
The most likely cause is that your service principals are
configured to allow renewable tickets but that the renew til time
is less than the lifetime of the ticket.

>
>>> Feature Reqest1:  Add options like -aklog to leash32 to be used in
>>> conjunction with -ms2mit.  Also add -persistent to leash32 to be 
>>> used in
>>> conjunction with -ms2mit, so it does the -ms2mit then stays in the task
>>> tray.  I would like to be able to call something like "leash32 -ms2mit
>>> -aklog -persistent" from the command line.
>>>
>> Use the -autoinit option as described in the documentation.
>> This will automatically perform an import from the MSLSA
>> cache when the session is Kerberos authenticated.
>>
>>>
>
> Can there be an option added so that -autoinit also does an aklog?
>
It already does perform the aklog function.  The same
as when you obtain tickets using Leash.

>>> Feature Request2:  Make ms2mit optionally run as a service.  It 
>>> would be
>>> nice if it ran in the background (or through leash32) and automatically
>>> extracted tickets from the ms lsa cache when they were renewed.
>>>
>> This is how Leash currently behaves when properly configured and
>> auto-ticket-renewal is turned on.
>
>
> It seems to work with the exception of the above error message.  As I 
> mentioned above using ms2mit causes the tickets to have the R flag set.
>
Your other option is to set the KRB5CCNAME to "MSLSA:" and then the
MS LSA cache will be used instead of the CCAPI.  There will be no
need to perform an ms2mit operation.

Jeffrey Altman


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20040323/c129fc7d/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3427 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krb5-bugs/attachments/20040323/c129fc7d/attachment.bin

More information about the krb5-bugs mailing list