In the future please submit bug reports on Kerberos for Windows to the KFW Bug mailing list: kfw-bugs@mit.edu Also, please submit each bug separately so that they may each be tracked. Matt Lytle via RT wrote: >Bug1: Leash32 from 2.6Beta7 crashes when starting on a Windows 2000 >machine when attached to a remote network with no VPN connection. Error >message (note memory addresses changes): "The instruction at 0x77fcca36" >referenced memory at "0x000c0100" the memory could not be written". This >does not occur on Windows XP boxes, and leash32 runs fine after the vpn >connection is established. > In other words, you are reporting that Leash is crashing when there is a network connection but the KDC for the default realm is not reachable when run on Windows 2000. Is this correct? >Bug2: It appears that for some reason that Leash32 likes to disable the >AFS Status setting. It appears to happen when it can not contact the cell >for some reason. Can this be changed or over ridden? Possibly with a >registry key. We are trying to support remote users, and run leash32 on >startup (in the task tray) and it is very inconvenient for them to have to >enable the afs properties frequently. > The AFS Status is disabled when there is a problem communicating with the AFS Client Service. This is a bug in the AFS Client. OpenAFS version 1.3.60 fixes this problem. The cause is a race condition between the pioctl() and RPC calls necessary for performing Token operations with the AFS Client Service. The AFS library libauthent.dll did not place a system global critical section around both operations allowing multiple applications such as Leash32.exe and afscreds.exe to step on each others toes. >Bug3: When obtaining tickets via ms2mit.exe and when they expire you >receive an error message that says: Ticket expired (Kerberos error 32) >krb5_get_renewed_creds() failed. However, clicking ok, and then using the >renew button in leash it works. > Confirm that you have the correct configuration data for your Windows Domain and KDC within the KRB5.INI file. Leash possesses renewable tickets in its cache but is unable to renew the tickets. Most likely it cannot contact your KDC. Another possibility is that your KDC is refusing to renew the tickets. In which case, Windows simply uses the cached username and password to perform a new TGS request which cannot be done by Leash directly. >Feature Reqest1: Add options like -aklog to leash32 to be used in >conjunction with -ms2mit. Also add -persistent to leash32 to be used in >conjunction with -ms2mit, so it does the -ms2mit then stays in the task >tray. I would like to be able to call something like "leash32 -ms2mit >-aklog -persistent" from the command line. > Use the -autoinit option as described in the documentation. This will automatically perform an import from the MSLSA cache when the session is Kerberos authenticated. > >Feature Request2: Make ms2mit optionally run as a service. It would be >nice if it ran in the background (or through leash32) and automatically >extracted tickets from the ms lsa cache when they were renewed. > This is how Leash currently behaves when properly configured and auto-ticket-renewal is turned on. Jeffrey Altman Kerberos for Windows maintainer.