leash32 2.6.4 issues

[matt cocker]

Jeffrey Altman wrote:

> matt cocker wrote:
> 
>> Sorry but I used the Add/Remove Programs Control Panel. I will retry 
>> it to confirm this. Windosws XP machines don't have this option anyway 
>> but you can rdp to them.
> 
> 
> Windows XP != Terminal Server.

I got that bit worked out.

> 
> Terminal Server supports the redirection of %WINDIR% and references to 
> HKLM\SOFTWARE to %USERPROFILE%\Windows and HKCU\SOFTWARE.  Windows XP 
> does not.
> 

It turns out that it is not what I thought. I don't need the 
%username%\windows files at all for XP.

If I kill all leash instances delete all krb5.ini, krb.con, krbrealm.con 
files from my local profile on the XP or server 2003 TS boxes, and then 
open leash I get different behavior on XP and windows 2003 server.

On 2003 server in TS mode using a normal user account if I run leash now 
and try and access the kerbros properties menu (ctrl-k) I get error 
messages like

PreTranslateMessage:: Unable to open Kerberos 5 Config. File!!!
PreTranslateMessage:: Unable to determine the Default Realm.

If I try and get tickets I get

Ticket Initialization ailed.
Kerberos 5: Cannot find KDC for requested realm (error 154)

If I restore the krb5.ini, krb.con, krbrealm.con files it to 
%username%\windows it is all happy.

Now on XP I saw a similar behavior without the krb5.ini, krb.con, 
krbrealm.con files in %username%\windows. But I think this was 
misleading and it may just be a gui bug.

Anyway on windows XP as a normal user if I run leash without any files 
in %username%\windows I get can get tickets via leash fine. If I open 
"Kerberos Properties" all looks fine. But If I now open "Kerberos5 
properties" select the ticket option "No Addresses" (or any option I 
think) and then try to open the "Kerberos Properties" again I get the

PreTranslateMessage:: Unable to open Kerberos 5 Config. File!!!
PreTranslateMessage:: Unable to determine the Default Realm.

Messages.

I then when back to the TS box and found that if I follow the same 
sequence it has the same problem. It was the above error messages the 
confused me with XP.

Once leash is in the state you have to restart it to get the "Kerberos 
Properties" working again but you can get tickets without restarting.

Just checked also happens for local admins.

> Are these domain accounts?  Are the profiles roaming?
> Does the domain have terminal servers in them?
> 

yes, both mandatory and local, yes

> 
>> They are four separate XP machines each with leash 2.6.4 installed and 
>> I am logging into the console not RDP. I was saying that only one out 
>> of four machines is working. Since I said that the fourth machine is 
>> not working now. It seems something is destroying the krb5 ticket in 
>> the cache. If I reauthenticate with afscreds leash finds the new ticket.
>>
>> does afscreds or leash renew tickets and tokens?
> 
> 
> Both afscreds and leash renew tickets and tokens unless they are 
> configured not to.
> 

But afscreds would require leash be installed for this to happen?

> What is obtaining the tickets you are expecting to find in the cache?
> 

We are using the "Obtain AFS tokens when logging into Windows" option in 
the control panel which is requesting a krb5 ticket from the KDCs and I 
thought stored it at API:principle at REALM. After login leash gui shows 
afs tokens but no tickets. If you then run afscreds "Obtain New Tokens" 
manually it seems to store the tickets in API:principle at REALM and leash 
shows them.

Have I just misunderstood how the login works.


Cheers

Matt