Matt Lytle wrote:
You should debug why renewable tickets are failing to be renewed.
via RT wrote:
obtaining tickets via ms2mit.exe and when they expire you
Confirm that you have the correct
receive an error message that says: Ticket expired (Kerberos error 32)
krb5_get_renewed_creds() failed. However, clicking ok, and then using
the renew button in leash it works.
for your Windows Domain and KDC within the KRB5.INI
file. Leash possesses renewable tickets in its cache
but is unable to renew the tickets. Most likely it
cannot contact your KDC.
Another possibility is that your KDC is refusing to
renew the tickets. In which case, Windows simply uses
the cached username and password to perform a new TGS
request which cannot be done by Leash directly.
So would requesting non-renewable tickets solve this problem? My
krb5.ini is correct. Although it seems that all tickets imported with
ms2mit have the R flag. How do I avoid that?
The most likely cause is that your service principals are
configured to allow renewable tickets but that the renew til time
is less than the lifetime of the ticket.
It already does perform the aklog function. The same
Reqest1: Add options like -aklog to leash32 to be used in
Use the -autoinit option as
described in the documentation.
conjunction with -ms2mit. Also add -persistent to leash32 to be used
conjunction with -ms2mit, so it does the -ms2mit then stays in the task
tray. I would like to be able to call something like "leash32 -ms2mit
-aklog -persistent" from the command line.
This will automatically perform an import from the MSLSA
cache when the session is Kerberos authenticated.
Can there be an option added so that -autoinit also does an aklog?
as when you obtain tickets using Leash.
Your other option is to set the KRB5CCNAME to "MSLSA:" and then the
Request2: Make ms2mit optionally run as a service. It would be
This is how Leash currently behaves
when properly configured and
nice if it ran in the background (or through leash32) and automatically
extracted tickets from the ms lsa cache when they were renewed.
auto-ticket-renewal is turned on.
It seems to work with the exception of the above error message. As I
mentioned above using ms2mit causes the tickets to have the R flag set.
MS LSA cache will be used instead of the CCAPI. There will be no
need to perform an ms2mit operation.