<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Bitstream Cyberbit">Matt Lytle wrote:<br>
</font>
<blockquote cite="mid577984.1080040269@%5B172.31.1.2%5D" type="cite">
<blockquote type="cite"><font face="Bitstream Cyberbit">Matt Lytle
via RT wrote:
<br>
</font></blockquote>
<font face="Bitstream Cyberbit"><br>
</font>
<blockquote type="cite">
<blockquote type="cite"><font face="Bitstream Cyberbit">Bug3: When
obtaining tickets via ms2mit.exe and when they expire you
<br>
receive an error message that says: Ticket expired (Kerberos error 32)
<br>
krb5_get_renewed_creds() failed. However, clicking ok, and then using
<br>
the renew button in leash it works.
<br>
<br>
</font></blockquote>
<font face="Bitstream Cyberbit">Confirm that you have the correct
configuration data
<br>
for your Windows Domain and KDC within the KRB5.INI
<br>
file. Leash possesses renewable tickets in its cache
<br>
but is unable to renew the tickets. Most likely it
<br>
cannot contact your KDC.
<br>
Another possibility is that your KDC is refusing to
<br>
renew the tickets. In which case, Windows simply uses
<br>
the cached username and password to perform a new TGS
<br>
request which cannot be done by Leash directly.
<br>
<br>
</font></blockquote>
<font face="Bitstream Cyberbit"><br>
So would requesting non-renewable tickets solve this problem? My
krb5.ini is correct. Although it seems that all tickets imported with
ms2mit have the R flag. How do I avoid that?
<br>
<br>
</font></blockquote>
You should debug why renewable tickets are failing to be renewed.<br>
The most likely cause is that your service principals are <br>
configured to allow renewable tickets but that the renew til time<br>
is less than the lifetime of the ticket.<br>
<blockquote cite="mid577984.1080040269@%5B172.31.1.2%5D" type="cite"><font
face="Bitstream Cyberbit"><br>
</font>
<blockquote type="cite">
<blockquote type="cite"><font face="Bitstream Cyberbit">Feature
Reqest1: Add options like -aklog to leash32 to be used in
<br>
conjunction with -ms2mit. Also add -persistent to leash32 to be used
in
<br>
conjunction with -ms2mit, so it does the -ms2mit then stays in the task
<br>
tray. I would like to be able to call something like "leash32 -ms2mit
<br>
-aklog -persistent" from the command line.
<br>
<br>
</font></blockquote>
<font face="Bitstream Cyberbit">Use the -autoinit option as
described in the documentation.
<br>
This will automatically perform an import from the MSLSA
<br>
cache when the session is Kerberos authenticated.
<br>
</font>
<blockquote type="cite"><font face="Bitstream Cyberbit"><br>
</font></blockquote>
</blockquote>
<font face="Bitstream Cyberbit"><br>
Can there be an option added so that -autoinit also does an aklog?
<br>
<br>
</font></blockquote>
It already does perform the aklog function. The same <br>
as when you obtain tickets using Leash.<br>
<br>
<blockquote cite="mid577984.1080040269@%5B172.31.1.2%5D" type="cite">
<blockquote type="cite">
<blockquote type="cite"><font face="Bitstream Cyberbit">Feature
Request2: Make ms2mit optionally run as a service. It would be
<br>
nice if it ran in the background (or through leash32) and automatically
<br>
extracted tickets from the ms lsa cache when they were renewed.
<br>
<br>
</font></blockquote>
<font face="Bitstream Cyberbit">This is how Leash currently behaves
when properly configured and
<br>
auto-ticket-renewal is turned on.
<br>
</font></blockquote>
<font face="Bitstream Cyberbit"><br>
It seems to work with the exception of the above error message. As I
mentioned above using ms2mit causes the tickets to have the R flag set.
<br>
</font><font face="Bitstream Cyberbit"><br>
</font></blockquote>
Your other option is to set the KRB5CCNAME to "MSLSA:" and then the <br>
MS LSA cache will be used instead of the CCAPI. There will be no<br>
need to perform an ms2mit operation.<br>
<br>
Jeffrey Altman<br>
<br>
<br>
</body>
</html>