Kerberos for Windows & MSLSA Cache
Christopher Penney
cpenney at gmail.com
Fri Mar 6 12:12:46 EST 2015
I run a Linux environment that's setup in an MIT Kerberos Realm. That realm
has a one way trust setup that allows tickets for Active Directory
principals (from Windows 7 clients) to be accepted as authentication (for
SSH and ODBC for Hadoop/Hive). I'm having two problems.
The first problem I'm having is that Windows 7 users using Kerberos for
Windows 4.01 do not seem to be able to use their AD ticket in the MSLSA
cache. If I set KRB5CCNAME to a file and obtain an AD ticket independently
of MSLSA everything works fine. With KRB5CCNAME set to MSLSA: it does not
work. I did find a note about setting AllowTGTSessionKey to 1, but that's
already been done (and rebooted).
Is there a way to use the AD tickets stored in MSLSA using MIT KfW? I
assumed it was possible looking at the release notes where it says
"Integration with the Windows LSA credentials cache", but maybe that's not
the case.
I'm also experiencing a problem where (using either MSLSA: or a file for
the CC) I can renew tickets just fine from a cmd window using '"kinit -R",
but the MIT Kerberos.exe sys tray tool crashes when it tries to renew. I
get the following in event viewer:
> Faulting application name: MIT Kerberos.exe, version: 4.0.1.2, time stamp:
> 0x50c22fb6
> Faulting module name: MSVCR100.dll, version: 10.0.40219.325, time stamp:
> 0x4df2bcac
> Exception code: 0xc0000005
> Fault offset: 0x000000000003c560
> Faulting process id: 0x1828
> Faulting application start time: 0x01d05782975e269d
> Faulting application path: C:\Program Files\MIT\Kerberos\bin\MIT
> Kerberos.exe
> Faulting module path: C:\Windows\system32\MSVCR100.dll
> Report Id: 631e69e6-c3c7-11e4-92c0-180373cb2112
The exception code points to some kind of access issue, but I can't seem to
see what it is. Watching it with Process Monitor wasn't very interesting,
but I'm not an expert.
If I run "MIT Kerberos.exe" -renew it gives the message "There was an error
renewing tickets!".
Thanks,
Chris
More information about the Kerberos
mailing list