Matt Lytle wrote:
Matt Lytle via RT wrote:

Bug3:  When obtaining tickets via ms2mit.exe and when they expire you
receive an error message that says:  Ticket expired (Kerberos error 32)
krb5_get_renewed_creds() failed. However, clicking ok, and then using
the  renew button in leash it works.

Confirm that you have the correct configuration data
for your Windows Domain and KDC within the KRB5.INI
file.  Leash possesses renewable tickets in its cache
but is unable to renew the tickets.  Most likely it
cannot contact your KDC.
Another possibility is that your KDC is refusing to
renew the tickets.  In which case, Windows simply uses
the cached username and password to perform a new TGS
request which cannot be done by Leash directly.

So would requesting non-renewable tickets solve this problem?  My krb5.ini is correct.  Although it seems that all tickets imported with ms2mit have the R flag.  How do I avoid that?

You should debug why renewable tickets are failing to be renewed.
The most likely cause is that your service principals are
configured to allow renewable tickets but that the renew til time
is less than the lifetime of the ticket.

Feature Reqest1:  Add options like -aklog to leash32 to be used in
conjunction with -ms2mit.  Also add -persistent to leash32 to be used in
conjunction with -ms2mit, so it does the -ms2mit then stays in the task
tray.  I would like to be able to call something like "leash32 -ms2mit
-aklog -persistent" from the command line.

Use the -autoinit option as described in the documentation.
This will automatically perform an import from the MSLSA
cache when the session is Kerberos authenticated.

Can there be an option added so that -autoinit also does an aklog?

It already does perform the aklog function.  The same
as when you obtain tickets using Leash.

Feature Request2:  Make ms2mit optionally run as a service.  It would be
nice if it ran in the background (or through leash32) and automatically
extracted tickets from the ms lsa cache when they were renewed.

This is how Leash currently behaves when properly configured and
auto-ticket-renewal is turned on.

It seems to work with the exception of the above error message.  As I mentioned above using ms2mit causes the tickets to have the R flag set.

Your other option is to set the KRB5CCNAME to "MSLSA:" and then the
MS LSA cache will be used instead of the CCAPI.  There will be no
need to perform an ms2mit operation.

Jeffrey Altman