[krbdev.mit.edu #2425] Multiple bugs and a few feature requests

["Jeffrey Altman [Kermit Project]" via RT]

In the future please submit bug reports on Kerberos for Windows
to the KFW Bug mailing list:   kfw-bugs at mit.edu

Also, please submit each bug separately so that they may each be tracked.

Matt Lytle via RT wrote:

>Bug1:  Leash32 from 2.6Beta7 crashes when starting on a Windows 2000 
>machine when attached to a remote network with no VPN connection. Error 
>message (note memory addresses changes):  "The instruction at 0x77fcca36" 
>referenced memory at "0x000c0100" the memory could not be written".  This 
>does not occur on Windows XP boxes, and leash32 runs fine after the vpn 
>connection is established.
>
In other words, you are reporting that Leash is crashing
when there is a network connection but the KDC for the
default realm is not reachable when run on Windows 2000.
Is this correct?


>Bug2:  It appears that for some reason that Leash32 likes to disable the 
>AFS Status setting.  It appears to happen when it can not contact the cell 
>for some reason.  Can this be changed or over ridden?  Possibly with a 
>registry key.  We are trying to support remote users, and run leash32 on 
>startup (in the task tray) and it is very inconvenient for them to have to 
>enable the afs properties frequently.
>
The AFS Status is disabled when there is a problem
communicating with the AFS Client Service.  This is
a bug in the AFS Client.  OpenAFS version 1.3.60 fixes
this problem.  The cause is a race condition between
the pioctl() and RPC calls necessary for performing
Token operations with the AFS Client Service.  The
AFS library libauthent.dll did not place a system
global critical section around both operations allowing
multiple applications such as Leash32.exe and afscreds.exe
to step on each others toes.

>Bug3:  When obtaining tickets via ms2mit.exe and when they expire you 
>receive an error message that says:  Ticket expired (Kerberos error 32) 
>krb5_get_renewed_creds() failed. However, clicking ok, and then using the 
>renew button in leash it works.
>
Confirm that you have the correct configuration data
for your Windows Domain and KDC within the KRB5.INI
file.  Leash possesses renewable tickets in its cache
but is unable to renew the tickets.  Most likely it
cannot contact your KDC. 

Another possibility is that your KDC is refusing to
renew the tickets.  In which case, Windows simply uses
the cached username and password to perform a new TGS
request which cannot be done by Leash directly.

>Feature Reqest1:  Add options like -aklog to leash32 to be used in 
>conjunction with -ms2mit.  Also add -persistent to leash32 to be used in 
>conjunction with -ms2mit, so it does the -ms2mit then stays in the task 
>tray.  I would like to be able to call something like "leash32 -ms2mit 
>-aklog -persistent" from the command line.
>
Use the -autoinit option as described in the documentation.
This will automatically perform an import from the MSLSA
cache when the session is Kerberos authenticated. 

>
>Feature Request2:  Make ms2mit optionally run as a service.  It would be 
>nice if it ran in the background (or through leash32) and automatically 
>extracted tickets from the ms lsa cache when they were renewed.
>
This is how Leash currently behaves when properly configured and
auto-ticket-renewal is turned on.

Jeffrey Altman
Kerberos for Windows maintainer.