Ticket History #2425: Multiple bugs and a few feature requests

# Thu Mar 18 13:06:20 2004 Matt Lytle <mjl@andrew.cmu.edu> - Ticket created

Date:	Thu, 18 Mar 2004 13:06:13 -0500
From:	Matt Lytle <mjl@andrew.cmu.edu>
To:	krb5-bugs@mit.edu
Subject:	Multiple bugs and a few feature requests

Download (untitled) / with headers
text/plain 1.5KiB

Bug1: Leash32 from 2.6Beta7 crashes when starting on a Windows 2000
machine when attached to a remote network with no VPN connection. Error
message (note memory addresses changes): "The instruction at 0x77fcca36"
referenced memory at "0x000c0100" the memory could not be written". This
does not occur on Windows XP boxes, and leash32 runs fine after the vpn
connection is established.

Bug2: It appears that for some reason that Leash32 likes to disable the
AFS Status setting. It appears to happen when it can not contact the cell
for some reason. Can this be changed or over ridden? Possibly with a
registry key. We are trying to support remote users, and run leash32 on
startup (in the task tray) and it is very inconvenient for them to have to
enable the afs properties frequently.

Bug3: When obtaining tickets via ms2mit.exe and when they expire you
receive an error message that says: Ticket expired (Kerberos error 32)
krb5_get_renewed_creds() failed. However, clicking ok, and then using the
renew button in leash it works.

Feature Reqest1: Add options like -aklog to leash32 to be used in
conjunction with -ms2mit. Also add -persistent to leash32 to be used in
conjunction with -ms2mit, so it does the -ms2mit then stays in the task
tray. I would like to be able to call something like "leash32 -ms2mit
-aklog -persistent" from the command line.

Feature Request2: Make ms2mit optionally run as a service. It would be
nice if it ran in the background (or through leash32) and automatically
extracted tickets from the ms lsa cache when they were renewed.

Thanks,

Matt

# Thu Mar 18 16:10:22 2004 "Jeffrey Altman [Kermit Project]" <jaltman@columbia.edu> - Comments added

Date:	Thu, 18 Mar 2004 16:11:31 -0500
From:	Jeffrey Altman <jaltman@columbia.edu>
To:	rt-comment@krbdev.mit.edu
Cc:	krb5-prs@MIT.EDU
Subject:	Re: [krbdev.mit.edu #2425] Multiple bugs and a few feature requests
RT-Send-Cc:

Download (untitled) / with headers
text/plain 3.2KiB

In the future please submit bug reports on Kerberos for Windows
to the KFW Bug mailing list: kfw-bugs@mit.edu

Also, please submit each bug separately so that they may each be tracked.

Matt Lytle via RT wrote:

Show quoted text

>Bug1: Leash32 from 2.6Beta7 crashes when starting on a Windows 2000
>machine when attached to a remote network with no VPN connection. Error
>message (note memory addresses changes): "The instruction at 0x77fcca36"
>referenced memory at "0x000c0100" the memory could not be written". This
>does not occur on Windows XP boxes, and leash32 runs fine after the vpn
>connection is established.
>

In other words, you are reporting that Leash is crashing
when there is a network connection but the KDC for the
default realm is not reachable when run on Windows 2000.
Is this correct?

Show quoted text

>Bug2: It appears that for some reason that Leash32 likes to disable the
>AFS Status setting. It appears to happen when it can not contact the cell
>for some reason. Can this be changed or over ridden? Possibly with a
>registry key. We are trying to support remote users, and run leash32 on
>startup (in the task tray) and it is very inconvenient for them to have to
>enable the afs properties frequently.
>

The AFS Status is disabled when there is a problem
communicating with the AFS Client Service. This is
a bug in the AFS Client. OpenAFS version 1.3.60 fixes
this problem. The cause is a race condition between
the pioctl() and RPC calls necessary for performing
Token operations with the AFS Client Service. The
AFS library libauthent.dll did not place a system
global critical section around both operations allowing
multiple applications such as Leash32.exe and afscreds.exe
to step on each others toes.

Show quoted text

>Bug3: When obtaining tickets via ms2mit.exe and when they expire you
>receive an error message that says: Ticket expired (Kerberos error 32)
>krb5_get_renewed_creds() failed. However, clicking ok, and then using the
>renew button in leash it works.
>

Confirm that you have the correct configuration data
for your Windows Domain and KDC within the KRB5.INI
file. Leash possesses renewable tickets in its cache
but is unable to renew the tickets. Most likely it
cannot contact your KDC.

Another possibility is that your KDC is refusing to
renew the tickets. In which case, Windows simply uses
the cached username and password to perform a new TGS
request which cannot be done by Leash directly.

Show quoted text

>Feature Reqest1: Add options like -aklog to leash32 to be used in
>conjunction with -ms2mit. Also add -persistent to leash32 to be used in
>conjunction with -ms2mit, so it does the -ms2mit then stays in the task
>tray. I would like to be able to call something like "leash32 -ms2mit
>-aklog -persistent" from the command line.
>

Use the -autoinit option as described in the documentation.
This will automatically perform an import from the MSLSA
cache when the session is Kerberos authenticated.

Show quoted text

>
>Feature Request2: Make ms2mit optionally run as a service. It would be
>nice if it ran in the background (or through leash32) and automatically
>extracted tickets from the ms lsa cache when they were renewed.
>

This is how Leash currently behaves when properly configured and
auto-ticket-renewal is turned on.

Jeffrey Altman
Kerberos for Windows maintainer.

# Thu Mar 18 16:10:49 2004 jaltman (Jeffrey Altman) - Taken

# Thu Mar 18 16:11:00 2004 jaltman (Jeffrey Altman) - Queue changed from krb5 to kfw

# Thu Mar 18 17:00:38 2004 jaltman (Jeffrey Altman) - Correspondence added

Download (untitled) / with headers
text/plain 97B

One more question on your Bug1. What command line parameters are used
when the program crashes?

# Thu Mar 18 17:20:55 2004 Matt Lytle <mjl@andrew.cmu.edu> - Correspondence added

Date:	Thu, 18 Mar 2004 17:20:50 -0500
From:	Matt Lytle <mjl@andrew.cmu.edu>
To:	krb5-bugs@mit.edu
Subject:	Re: [krbdev.mit.edu #2425] Multiple bugs and a few feature requests
RT-Send-Cc:

Download (untitled) / with headers
text/plain 221B

--On Thursday, March 18, 2004 5:00 PM -0500 Jeffrey Altman via RT
<rt-krbdev-comment@krbdev.mit.edu> wrote:

Show quoted text

> One more question on your Bug1. What command line parameters are used
> when the program crashes?
>
>

# Thu Mar 18 17:25:35 2004 jaltman (Jeffrey Altman) - Correspondence added

Download (untitled) / with headers
text/plain 367B

We received the following response without a reply to the question.

[mjl@andrew.cmu.edu - Thu Mar 18 17:20:55 2004]:

Show quoted text

>
>
> --On Thursday, March 18, 2004 5:00 PM -0500 Jeffrey Altman via RT
> <rt-krbdev-comment@krbdev.mit.edu> wrote:
>

> > One more question on your Bug1. What command line parameters are used
> > when the program crashes?
> >
> >

>
>
>
>

# Thu Mar 18 17:29:29 2004 Matt Lytle <mjl@andrew.cmu.edu> - Correspondence added

Date:	Thu, 18 Mar 2004 17:29:23 -0500
From:	Matt Lytle <mjl@andrew.cmu.edu>
To:	krb5-bugs@mit.edu
Subject:	Re: [krbdev.mit.edu #2425] Multiple bugs and a few feature requests
RT-Send-Cc:

Download (untitled) / with headers
text/plain 583B

We are passing no parameters to the leash. It is just a minimized shortcut.

--Matt

--On Thursday, March 18, 2004 5:25 PM -0500 Jeffrey Altman via RT
<rt-krbdev-comment@krbdev.mit.edu> wrote:

Show quoted text

> We received the following response without a reply to the question.
>
> [mjl@andrew.cmu.edu - Thu Mar 18 17:20:55 2004]:
>

>>
>>
>> --On Thursday, March 18, 2004 5:00 PM -0500 Jeffrey Altman via RT
>> <rt-krbdev-comment@krbdev.mit.edu> wrote:
>>

>> > One more question on your Bug1. What command line parameters are used
>> > when the program crashes?
>> >
>> >

>>
>>
>>
>>

>
>
>

# Fri Mar 19 02:38:45 2004 jaltman (Jeffrey Altman) - Status changed from 'new' to 'open'

# Fri Mar 19 02:40:28 2004 jaltman (Jeffrey Altman) - Correspondence added

Download (untitled) / with headers
text/plain 288B

please try the build located at:

http://web.mit.edu/~jaltman/Public/Leash/MITKerberosForWindows-2.6-preBeta-9.exe
/afs/athena.mit.edu/user/j/a/jaltman/Public/Leash/MITKerberosForWindows-2.6-preBeta-9.exe

I think it should address your Bug #1. Please let me know ASAP.
Thanks.

- Jeff

# Fri Mar 19 10:22:11 2004 Matt Lytle <mjl@andrew.cmu.edu> - Correspondence added

Date:	Fri, 19 Mar 2004 10:22:05 -0500
From:	Matt Lytle <mjl@andrew.cmu.edu>
To:	krb5-bugs@mit.edu
Subject:	Re: [krbdev.mit.edu #2425] Multiple bugs and a few feature requests
RT-Send-Cc:

Download (untitled) / with headers
text/plain 475B

You are correct this fixes bug #1.

Thanks!

Matt

--On Friday, March 19, 2004 2:40 AM -0500 Jeffrey Altman via RT
<rt-krbdev-comment@krbdev.mit.edu> wrote:

Show quoted text

> please try the build located at:
>
> http://web.mit.edu/~jaltman/Public/Leash/MITKerberosForWindows-2.6-preBet
> a-9.exe
> /afs/athena.mit.edu/user/j/a/jaltman/Public/Leash/MITKerberosForWindows-2
> .6-preBeta-9.exe
>
> I think it should address your Bug #1. Please let me know ASAP.
> Thanks.
>
> - Jeff
>
>

# Fri Mar 19 11:35:56 2004 jaltman (Jeffrey Altman) - Status changed from 'open' to 'resolved'

# Fri Mar 19 11:35:56 2004 jaltman (Jeffrey Altman) - Comments added

Download (untitled) / with headers
text/plain 90B

confirmation that the only true bug on this ticket, #1, has been fixed
has been received.

# Tue Mar 23 11:13:17 2004 Matt Lytle <mjl@cert.org> - Comments added

Date:	Tue, 23 Mar 2004 11:11:09 -0500
From:	Matt Lytle <mjl@cert.org>
To:	Jeffrey Altman <jaltman@columbia.edu>, rt-comment@krbdev.mit.edu
Cc:	krb5-prs@mit.edu
Subject:	Re: [krbdev.mit.edu #2425] Multiple bugs and a few feature requests
RT-Send-Cc:

Download (untitled) / with headers
text/plain 3.8KiB

Show quoted text

> Matt Lytle via RT wrote:
>

>> Bug1: Leash32 from 2.6Beta7 crashes when starting on a Windows 2000
>> machine when attached to a remote network with no VPN connection. Error
>> message (note memory addresses changes): "The instruction at
>> 0x77fcca36" referenced memory at "0x000c0100" the memory could not be
>> written". This does not occur on Windows XP boxes, and leash32 runs
>> fine after the vpn connection is established.
>>

> In other words, you are reporting that Leash is crashing
> when there is a network connection but the KDC for the
> default realm is not reachable when run on Windows 2000.
> Is this correct?
>

That was correct, although it appears to be fixed with beta 9 that you had
me test.

Show quoted text

>

>> Bug2: It appears that for some reason that Leash32 likes to disable the
>> AFS Status setting. It appears to happen when it can not contact the
>> cell for some reason. Can this be changed or over ridden? Possibly
>> with a registry key. We are trying to support remote users, and run
>> leash32 on startup (in the task tray) and it is very inconvenient for
>> them to have to enable the afs properties frequently.
>>

> The AFS Status is disabled when there is a problem
> communicating with the AFS Client Service. This is
> a bug in the AFS Client. OpenAFS version 1.3.60 fixes
> this problem. The cause is a race condition between
> the pioctl() and RPC calls necessary for performing
> Token operations with the AFS Client Service. The
> AFS library libauthent.dll did not place a system
> global critical section around both operations allowing
> multiple applications such as Leash32.exe and afscreds.exe
> to step on each others toes.
>

Good to know, we are going to be using the 1.3.61 client soon.

Show quoted text

>> Bug3: When obtaining tickets via ms2mit.exe and when they expire you
>> receive an error message that says: Ticket expired (Kerberos error 32)
>> krb5_get_renewed_creds() failed. However, clicking ok, and then using
>> the renew button in leash it works.
>>

> Confirm that you have the correct configuration data
> for your Windows Domain and KDC within the KRB5.INI
> file. Leash possesses renewable tickets in its cache
> but is unable to renew the tickets. Most likely it
> cannot contact your KDC.
> Another possibility is that your KDC is refusing to
> renew the tickets. In which case, Windows simply uses
> the cached username and password to perform a new TGS
> request which cannot be done by Leash directly.
>

So would requesting non-renewable tickets solve this problem? My krb5.ini
is correct. Although it seems that all tickets imported with ms2mit have
the R flag. How do I avoid that?

Show quoted text

>> Feature Reqest1: Add options like -aklog to leash32 to be used in
>> conjunction with -ms2mit. Also add -persistent to leash32 to be used in
>> conjunction with -ms2mit, so it does the -ms2mit then stays in the task
>> tray. I would like to be able to call something like "leash32 -ms2mit
>> -aklog -persistent" from the command line.
>>

> Use the -autoinit option as described in the documentation.
> This will automatically perform an import from the MSLSA
> cache when the session is Kerberos authenticated.

>>

Can there be an option added so that -autoinit also does an aklog?

Show quoted text

>> Feature Request2: Make ms2mit optionally run as a service. It would be
>> nice if it ran in the background (or through leash32) and automatically
>> extracted tickets from the ms lsa cache when they were renewed.
>>

> This is how Leash currently behaves when properly configured and
> auto-ticket-renewal is turned on.

It seems to work with the exception of the above error message. As I
mentioned above using ms2mit causes the tickets to have the R flag set.

Show quoted text

>
> Jeffrey Altman
> Kerberos for Windows maintainer.

Thanks,

Matt

Show quoted text

>
>
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs

# Tue Mar 23 11:18:06 2004 "Jeffrey Altman [Kermit Project]" <jaltman@columbia.edu> - Comments added

Date:	Tue, 23 Mar 2004 11:19:16 -0500
From:	Jeffrey Altman <jaltman@columbia.edu>
To:	Matt Lytle <mjl@cert.org>
Cc:	rt-comment@krbdev.mit.edu, krb5-prs@mit.edu
Subject:	Re: [krbdev.mit.edu #2425] Multiple bugs and a few feature requests
RT-Send-Cc:

Download smime.p7s
application/x-pkcs7-signature 3.3KiB

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 2.5KiB

Download (untitled) / with headers
text/html 4.3KiB

Matt Lytle wrote:

Show quoted text

Matt Lytle via RT wrote:

Bug3: When obtaining tickets via ms2mit.exe and when they expire you
receive an error message that says: Ticket expired (Kerberos error 32)
krb5_get_renewed_creds() failed. However, clicking ok, and then using
the renew button in leash it works.

Confirm that you have the correct configuration data
for your Windows Domain and KDC within the KRB5.INI
file. Leash possesses renewable tickets in its cache
but is unable to renew the tickets. Most likely it
cannot contact your KDC.
Another possibility is that your KDC is refusing to
renew the tickets. In which case, Windows simply uses
the cached username and password to perform a new TGS
request which cannot be done by Leash directly.

So would requesting non-renewable tickets solve this problem? My krb5.ini is correct. Although it seems that all tickets imported with ms2mit have the R flag. How do I avoid that?

You should debug why renewable tickets are failing to be renewed.
The most likely cause is that your service principals are
configured to allow renewable tickets but that the renew til time
is less than the lifetime of the ticket.

Show quoted text

Feature Reqest1: Add options like -aklog to leash32 to be used in
conjunction with -ms2mit. Also add -persistent to leash32 to be used in
conjunction with -ms2mit, so it does the -ms2mit then stays in the task
tray. I would like to be able to call something like "leash32 -ms2mit
-aklog -persistent" from the command line.

Use the -autoinit option as described in the documentation.
This will automatically perform an import from the MSLSA
cache when the session is Kerberos authenticated.

Can there be an option added so that -autoinit also does an aklog?

It already does perform the aklog function. The same
as when you obtain tickets using Leash.

Show quoted text

Feature Request2: Make ms2mit optionally run as a service. It would be
nice if it ran in the background (or through leash32) and automatically
extracted tickets from the ms lsa cache when they were renewed.

This is how Leash currently behaves when properly configured and
auto-ticket-renewal is turned on.

It seems to work with the exception of the above error message. As I mentioned above using ms2mit causes the tickets to have the R flag set.

Your other option is to set the KRB5CCNAME to "MSLSA:" and then the
MS LSA cache will be used instead of the CCAPI. There will be no
need to perform an ms2mit operation.

Jeffrey Altman

# Tue Mar 23 16:46:22 2004 Matt Lytle <mjl@andrew.cmu.edu> - Correspondence added

Date:	Tue, 23 Mar 2004 16:46:15 -0500
From:	Matt Lytle <mjl@andrew.cmu.edu>
To:	krb5-bugs@mit.edu
Subject:	Re: [krbdev.mit.edu #2425] Multiple bugs and a few feature requests
RT-Send-Cc:

Download (untitled) / with headers
text/plain 613B

(For tracking sake following up here).

When testing Beta 9, Leash starts and runs for some amount of time (approx
1hr). It then crashes with the same characteristics as before.

--Matt

--On Friday, March 19, 2004 2:40 AM -0500 Jeffrey Altman via RT
<rt-krbdev-comment@krbdev.mit.edu> wrote:

Show quoted text

> please try the build located at:
>
> http://web.mit.edu/~jaltman/Public/Leash/MITKerberosForWindows-2.6-preBet
> a-9.exe
> /afs/athena.mit.edu/user/j/a/jaltman/Public/Leash/MITKerberosForWindows-2
> .6-preBeta-9.exe
>
> I think it should address your Bug #1. Please let me know ASAP.
> Thanks.
>
> - Jeff
>
>