it sounds like something is causing Leash to crash on startup. double check to make sure that there are not multiple versions of kfw dlls on the machine. check to see if "klist -c MSLSA:" succeeds or fails. we know that the MSLSA: code will crash on machines with a locale requiring the use of Multi-Byte characters. Jeffrey Altman diskin wrote: > Hi Jeff, > Do you recognize this Leash problem? I'm coming up empty at the moment. > If you have any debug suggestions let me know. > Thanks, > Gregg > > ------------ Forwarded Message ------------ > Date: Wednesday, December 22, 2004 5:46 PM -0500 > From: "John W. Huber, Jr" > To: diskin > Subject: Re: [SR198734] error running kerberos in SEI-realm computer > > > diskin wrote: > >> You probably aren't seeing anything under >> [HKEY_CURRENT_USER\Software\Mit\Leash32 because you haven't set any >> options. None of these are crucial though, unless you have something >> really screwy in your default ticket lifetime settings. Can you at >> least bring up the leash window by right-clicking on the dog icon and >> selecting "Open Leash Widow"? If you can, you can set lifetimes >> under Options, Kerberos, Ticket Lifetimes. The default should be 10 >> hours. You can set other things and see if the registry gets changed >> under [HKEY_CURRENT_USER\Software\Mit\Leash32. >> >> And if you can bring up the Leash window, see if your Kerberos Five, >> Configuration options have the Forwardable, Renewable, and "NO >> Addresses" options Set. > > > Therein lies the problem. No, I cannot open the Lease Ticket Manager at > all. At boot time, it appears to load, but as soon as I move my cursor > anywhere near the Kerberos dog icon in the system tray, then the icon > disappears completely. If I manually launch the Lease Ticket Manager, then > a window flashes on the screen very briefly (not long enough to even see > it) and the dog icon appears in the system tray again. However, the icon > disappears as soon as I attempt to open it (again just moving the cursor > near it is enough to make it disappear). Thus, the problem is completely > with the Lease application and has nothing to do with Oracle Calendar (or > any other Kerberos-aware application) at all. > > Obviously, this means that I cannot set any options or even view the > defaults for the Lease Ticket Manager. So, no matter what I do, the > registry entries are not created or changed in any way. > >> The really important registry setings are the two AllowTGTSessionKey >> settings under HKLM\System.... as documented. Please double-check these. > > > Yes, they are both set to 1 as indicated in the document. > >> Beyond that, let me know: >> 1) is your machine a member of a domain or is it standalone? > > > It is a member of one of our domains (NETSERVICES). > >> 2) If a domain machine, do you log into the domain or into the >> kerberos realm? (These are options on your initial login drop-down >> menu). > > > We do not use Kerberos in any other way (besides using it for Oracle > Calendar), and I authenticate against the domain. > >> 3) What is the exact error message you get? > > > Again, the Lease Ticket Manager doesn't open at all, but if I attempt to > launch Oracle Calendar and "Sign-in" using the Supplied by authenticator > option, then I get the following error dialog: > > >> 4) As much as makes sense, describe to me how things are failing. >> That is, do things fail when you try to run your calendar program or >> before? Are you able to login to Kerberos at all? Do you get >> tickets? If the leash32 gui fails, can you run klist from your >> c:\program files\mit\kerberos\bin directory to list existing tickets? >> Can you run kinit youruserid from there to get tickets? > > > As I explained above, the Lease Ticket Manager will not run and thus > applications which require it for authentication (including Oracle > Calendar) fail. The error above is obtained after clicking on the > "Sign-in" button in the Oracle Calendar Sign-In window. No, I cannot login > to Kerberos at all. No, I do not get tickets. When I run klist from in > Windows Explorer, it doesn't run, but again brings up a VERY brief shell > window that closes automatically. When I run klist from within a shell > (CMD) window, then I get the following output: > > Microsoft Windows XP [Version 5.1.2600] > (C) Copyright 1985-2001 Microsoft Corp. > > C:\Program Files\MIT\Kerberos\bin>klist > klist: No credentials cache found (ticket cache API:krb5cc) > > > Kerberos 4 ticket cache: API:krb4cc > klist: No ticket file (tf_util) > > C:\Program Files\MIT\Kerberos\bin> > > Yes, I can run kinit from within the shell window and it seems to work and > pick up a ticket. Here is the output: > > C:\Program Files\MIT\Kerberos\bin>kinit jh6b > Password for jh6b@ANDREW.CMU.EDU: > > C:\Program Files\MIT\Kerberos\bin>klist > Ticket cache: API:krb5cc > Default principal: jh6b@ANDREW.CMU.EDU > > Valid starting Expires Service principal > 12/22/04 17:38:52 12/23/04 03:38:52 > krbtgt/ANDREW.CMU.EDU@ANDREW.CMU.EDU > > > Kerberos 4 ticket cache: API:krb4cc > Principal: jh6b@ANDREW.CMU.EDU > > Issued Expires Principal > 12/22/04 17:38:52 12/23/04 03:38:52 > krbtgt.ANDREW.CMU.EDU@ANDREW.CMU.EDU > > C:\Program Files\MIT\Kerberos\bin> > > This is the first action which has behaved correctly (as far as I can > tell). Of course, once I pick up a ticket in this manner, then Oracle > Calendar works just fine (I launched it and everything works fine now that > I have a ticket). This is a great work-around for the time being, but is > obviously not very practical, nor is it something that we can recommend for > our user community who are having the same problem. > > For what it is worth, I can run kinit from within a Windows Explorer window > and it seems to work fine in that way as well. However, even now that I > have a ticket, the klist application will not run from within Windows > Explorer, but only from within a command shell. > > Hopefully, this new knowledge will give you more to work on and maybe the > MIT folks can shed some light on why the GUI won't run. I look forward to > hearing any other suggestions and certainly am glad to find the tool to > manually grab tickets. > > Thanks, > -Jay > > ---------- End Forwarded Message ---------- > > > > > ------------------------------------------------------------------------ > > Subject: > Re: [SR198734] error running kerberos in SEI-realm computer > From: > "John W. Huber, Jr" > Date: > Wed, 22 Dec 2004 17:46:09 -0500 > To: > diskin > > To: > diskin > > Return-Path: > > Received: > from murder (MX7.andrew.cmu.edu [128.2.10.117]) by mail3.andrew.cmu.edu > (Cyrus v2.2.6-099) with LMTPA; Wed, 22 Dec 2004 17:46:14 -0500 > X-Sieve: > CMU Sieve 2.2 > Received: > from mx7.andrew.cmu.edu ([unix socket]) by mx7.andrew.cmu.edu (Cyrus > v2.2.6-098) with LMTPA; Wed, 22 Dec 2004 17:46:15 -0500 > Received: > from smtp01.sei.cmu.edu (smtp01.sei.cmu.edu [192.58.107.164]) by > mx7.andrew.cmu.edu (8.12.10/8.12.10) with ESMTP id iBMMkE7W022332 for > ; Wed, 22 Dec 2004 17:46:14 -0500 > Received: > from ms00.sei.cmu.edu (ms00.sei.cmu.edu [128.237.2.1]) by > smtp01.sei.cmu.edu (8.12.11/8.12.11/1.20) with ESMTP id iBMMkAGW014355 > for ; Wed, 22 Dec 2004 17:46:10 -0500 > Received: > from [127.0.0.1] (pcakd.sei.cmu.edu [128.237.9.164]) by ms00.sei.cmu.edu > (8.9.3/8.9.3/1.11) with ESMTP id RAA06997 for ; > Wed, 22 Dec 2004 17:46:10 -0500 (EST) > Message-ID: > <41C9F931.1050208@sei.cmu.edu> > Organization: > Software Engineering Institute > User-Agent: > Mozilla Thunderbird 1.0 (Windows/20041206) > X-Accept-Language: > en-us, en > MIME-Version: > 1.0 > References: > <140596F125CF6621EE1E7BCB@soccerball.andrew.ad.cmu.edu> > <41C9DAF7.5070500@sei.cmu.edu> > <1FC91D3723223618A796C419@soccerball.andrew.ad.cmu.edu> > In-Reply-To: > <1FC91D3723223618A796C419@soccerball.andrew.ad.cmu.edu> > Content-Type: > multipart/alternative; boundary="------------050309020805010708080006" > Received-SPF: > none (mx7.andrew.cmu.edu: domain of jwh@sei.cmu.edu does not designate > permitted sender hosts) > X-SpamAssassin-Clean: > 18 (HTML_MESSAGE,HTML_TAG_BALANCE_BODY,WEIRD_QUOTING) > X-Spam-Clean: > 7% (__BAT_BOUNDARY 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART > 0, __CTYPE_MULTIPART_ALT 0, __HAS_MSGID 0, __MIME_HTML 0, __MIME_VERSION > 0, __SANE_MSGID 0, __TAG_EXISTS_HTML 0) > > > > diskin wrote: > >> You probably aren't seeing anything under >> [HKEY_CURRENT_USER\Software\Mit\Leash32 because you haven't set any >> options. None of these are crucial though, unless you have something >> really screwy in your default ticket lifetime settings. Can you at >> least bring up the leash window by right-clicking on the dog icon and >> selecting "Open Leash Widow"? If you can, you can set lifetimes >> under Options, Kerberos, Ticket Lifetimes. The default should be 10 >> hours. You can set other things and see if the registry gets changed >> under [HKEY_CURRENT_USER\Software\Mit\Leash32. >> >> And if you can bring up the Leash window, see if your Kerberos Five, >> Configuration options have the Forwardable, Renewable, and "NO >> Addresses" options Set. > > Therein lies the problem. No, I cannot open the Lease Ticket Manager at > all. At boot time, it appears to load, but as soon as I move my cursor > anywhere near the Kerberos dog icon in the system tray, then the icon > disappears completely. If I manually launch the Lease Ticket Manager, > then a window flashes on the screen very briefly (not long enough to > even see it) and the dog icon appears in the system tray again. > However, the icon disappears as soon as I attempt to open it (again just > moving the cursor near it is enough to make it disappear). Thus, the > problem is completely with the Lease application and has nothing to do > with Oracle Calendar (or any other Kerberos-aware application) at all. > > Obviously, this means that I cannot set any options or even view the > defaults for the Lease Ticket Manager. So, no matter what I do, the > registry entries are not created or changed in any way. > >> The really important registry setings are the two AllowTGTSessionKey >> settings under HKLM\System.... as documented. Please double-check these. > > Yes, they are both set to 1 as indicated in the document. > >> Beyond that, let me know: >> 1) is your machine a member of a domain or is it standalone? > > It is a member of one of our domains (NETSERVICES). > >> 2) If a domain machine, do you log into the domain or into the >> kerberos realm? (These are options on your initial login drop-down >> menu). > > We do not use Kerberos in any other way (besides using it for Oracle > Calendar), and I authenticate against the domain. > >> 3) What is the exact error message you get? > > Again, the Lease Ticket Manager doesn't open at all, but if I attempt to > launch Oracle Calendar and "Sign-in" using the Supplied by authenticator > option, then I get the following error dialog: > > >> 4) As much as makes sense, describe to me how things are failing. >> That is, do things fail when you try to run your calendar program or >> before? Are you able to login to Kerberos at all? Do you get >> tickets? If the leash32 gui fails, can you run klist from your >> c:\program files\mit\kerberos\bin directory to list existing tickets? >> Can you run kinit youruserid from there to get tickets? > > As I explained above, the Lease Ticket Manager will not run and thus > applications which require it for authentication (including Oracle > Calendar) fail. The error above is obtained after clicking on the > "Sign-in" button in the Oracle Calendar Sign-In window. No, I cannot > login to Kerberos at all. No, I do not get tickets. When I run klist > from in Windows Explorer, it doesn't run, but again brings up a VERY > brief shell window that closes automatically. When I run klist from > within a shell (CMD) window, then I get the following output: > > Microsoft Windows XP [Version 5.1.2600] > (C) Copyright 1985-2001 Microsoft Corp. > > C:\Program Files\MIT\Kerberos\bin>klist > klist: No credentials cache found (ticket cache API:krb5cc) > > > Kerberos 4 ticket cache: API:krb4cc > klist: No ticket file (tf_util) > > C:\Program Files\MIT\Kerberos\bin> > > Yes, I can run kinit from within the shell window and it seems to work > and pick up a ticket. Here is the output: > > C:\Program Files\MIT\Kerberos\bin>kinit jh6b > Password for jh6b@ANDREW.CMU.EDU: > > C:\Program Files\MIT\Kerberos\bin>klist > Ticket cache: API:krb5cc > Default principal: jh6b@ANDREW.CMU.EDU > > Valid starting Expires Service principal > 12/22/04 17:38:52 12/23/04 03:38:52 > krbtgt/ANDREW.CMU.EDU@ANDREW.CMU.EDU > > > Kerberos 4 ticket cache: API:krb4cc > Principal: jh6b@ANDREW.CMU.EDU > > Issued Expires Principal > 12/22/04 17:38:52 12/23/04 03:38:52 > krbtgt.ANDREW.CMU.EDU@ANDREW.CMU.EDU > > C:\Program Files\MIT\Kerberos\bin> > > This is the first action which has behaved correctly (as far as I can > tell). Of course, once I pick up a ticket in this manner, then Oracle > Calendar works just fine (I launched it and everything works fine now > that I have a ticket). This is a great work-around for the time being, > but is obviously not very practical, nor is it something that we can > recommend for our user community who are having the same problem. > > For what it is worth, I can run kinit from within a Windows Explorer > window and it seems to work fine in that way as well. However, even now > that I have a ticket, the klist application will not run from within > Windows Explorer, but only from within a command shell. > > Hopefully, this new knowledge will give you more to work on and maybe > the MIT folks can shed some light on why the GUI won't run. I look > forward to hearing any other suggestions and certainly am glad to find > the tool to manually grab tickets. > > Thanks, > -Jay