[krbdev.mit.edu #2425] Multiple bugs and a few feature requests

[Matt Lytle]

> Matt Lytle via RT wrote:
>
>> Bug1:  Leash32 from 2.6Beta7 crashes when starting on a Windows 2000
>> machine when attached to a remote network with no VPN connection. Error
>> message (note memory addresses changes):  "The instruction at
>> 0x77fcca36"  referenced memory at "0x000c0100" the memory could not be
>> written".  This  does not occur on Windows XP boxes, and leash32 runs
>> fine after the vpn  connection is established.
>>
> In other words, you are reporting that Leash is crashing
> when there is a network connection but the KDC for the
> default realm is not reachable when run on Windows 2000.
> Is this correct?
>

That was correct, although it appears to be fixed with beta 9 that you had 
me test.

>
>> Bug2:  It appears that for some reason that Leash32 likes to disable the
>> AFS Status setting.  It appears to happen when it can not contact the
>> cell  for some reason.  Can this be changed or over ridden?  Possibly
>> with a  registry key.  We are trying to support remote users, and run
>> leash32 on  startup (in the task tray) and it is very inconvenient for
>> them to have to  enable the afs properties frequently.
>>
> The AFS Status is disabled when there is a problem
> communicating with the AFS Client Service.  This is
> a bug in the AFS Client.  OpenAFS version 1.3.60 fixes
> this problem.  The cause is a race condition between
> the pioctl() and RPC calls necessary for performing
> Token operations with the AFS Client Service.  The
> AFS library libauthent.dll did not place a system
> global critical section around both operations allowing
> multiple applications such as Leash32.exe and afscreds.exe
> to step on each others toes.
>

Good to know, we are going to be using the 1.3.61 client soon.

>> Bug3:  When obtaining tickets via ms2mit.exe and when they expire you
>> receive an error message that says:  Ticket expired (Kerberos error 32)
>> krb5_get_renewed_creds() failed. However, clicking ok, and then using
>> the  renew button in leash it works.
>>
> Confirm that you have the correct configuration data
> for your Windows Domain and KDC within the KRB5.INI
> file.  Leash possesses renewable tickets in its cache
> but is unable to renew the tickets.  Most likely it
> cannot contact your KDC.
> Another possibility is that your KDC is refusing to
> renew the tickets.  In which case, Windows simply uses
> the cached username and password to perform a new TGS
> request which cannot be done by Leash directly.
>

So would requesting non-renewable tickets solve this problem?  My krb5.ini 
is correct.  Although it seems that all tickets imported with ms2mit have 
the R flag.  How do I avoid that?


>> Feature Reqest1:  Add options like -aklog to leash32 to be used in
>> conjunction with -ms2mit.  Also add -persistent to leash32 to be used in
>> conjunction with -ms2mit, so it does the -ms2mit then stays in the task
>> tray.  I would like to be able to call something like "leash32 -ms2mit
>> -aklog -persistent" from the command line.
>>
> Use the -autoinit option as described in the documentation.
> This will automatically perform an import from the MSLSA
> cache when the session is Kerberos authenticated.
>>

Can there be an option added so that -autoinit also does an aklog?

>> Feature Request2:  Make ms2mit optionally run as a service.  It would be
>> nice if it ran in the background (or through leash32) and automatically
>> extracted tickets from the ms lsa cache when they were renewed.
>>
> This is how Leash currently behaves when properly configured and
> auto-ticket-renewal is turned on.

It seems to work with the exception of the above error message.  As I 
mentioned above using ms2mit causes the tickets to have the R flag set.

>
> Jeffrey Altman
> Kerberos for Windows maintainer.

Thanks,

Matt

>
>
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs