[krbdev.mit.edu #8790] Leash krb5_cc_start_seq_get error popups

[Greg Hudson via RT]

Two users at MIT have reported nuisance Leash modal error dialogs 
while running Leash (aka MIT Kerberos Ticket Manager) on Windows.  In 
both cases the errors started happening after a Windows 10 update in 
mid-February.  The error dialogs say:

    Matching credential not found (Kerberos error -1765328243)
    krb5_cc_start_seq_get failed

The errors do not seem to impede the operation of the app that needs 
tickets (SAPgui in both cases), except that the error popups happen 
repeatedly and steal focus.  I have advised the users to fully exit 
the ticket manager after acquiring tickets, which I hope will work 
around the most annoying aspect of the problem.

>From code inspection, I believe the error occurs when Leash tries to 
update its ticket display.  Leash iterates over the ccache 
collection, reaches the LSA ccache, and tries to iterate over the 
creds in that ccache.  krb5_start_seq_get() returns KRB5_CC_NOTFOUND 
and the error pops up (KrbListTickets.cpp:do_ccache() line 223).  
Normally when the LSA ccache is empty, a prior call to 
krb5_cc_get_principal() would fail (line 212) and in that case the 
error dialog is suppressed.

Ideally I will get confirmation that the circumstances surrounding 
the error are as I suspect (specifically that the users have an API 
default ccache and the LSA ccache is empty), account for the 
difference in Windows behavior which causes krb5_cc_get_principal() 
to succeed on an empty ccache when it used to fail, and then patch 
the problem.  But since I cannot personally reproduce the error, 
there is a good chance I will simply patch Leash to suppress errors 
when krb5_cc_start_seq_get() fails.