Skip Menu |
 

Subject: Leash krb5_cc_start_seq_get error popups
Download (untitled) / with headers
text/plain 1.6KiB
Two users at MIT have reported nuisance Leash modal error dialogs
while running Leash (aka MIT Kerberos Ticket Manager) on Windows. In
both cases the errors started happening after a Windows 10 update in
mid-February. The error dialogs say:

Matching credential not found (Kerberos error -1765328243)
krb5_cc_start_seq_get failed

The errors do not seem to impede the operation of the app that needs
tickets (SAPgui in both cases), except that the error popups happen
repeatedly and steal focus. I have advised the users to fully exit
the ticket manager after acquiring tickets, which I hope will work
around the most annoying aspect of the problem.

From code inspection, I believe the error occurs when Leash tries to
update its ticket display. Leash iterates over the ccache
collection, reaches the LSA ccache, and tries to iterate over the
creds in that ccache. krb5_start_seq_get() returns KRB5_CC_NOTFOUND
and the error pops up (KrbListTickets.cpp:do_ccache() line 223).
Normally when the LSA ccache is empty, a prior call to
krb5_cc_get_principal() would fail (line 212) and in that case the
error dialog is suppressed.

Ideally I will get confirmation that the circumstances surrounding
the error are as I suspect (specifically that the users have an API
default ccache and the LSA ccache is empty), account for the
difference in Windows behavior which causes krb5_cc_get_principal()
to succeed on an empty ccache when it used to fail, and then patch
the problem. But since I cannot personally reproduce the error,
there is a good chance I will simply patch Leash to suppress errors
when krb5_cc_start_seq_get() fails.
From: ghudson@mit.edu
Subject: git commit

Suppress krb5_cc_start_seq_get() popups in Leash

Under some circumstances (perhaps related to a February Windows 10
update), Leash can get past the krb5_cc_get_principal() step when
processing an empty MSLSA ccache, and get a KRB5_CC_NOMATCH error from
krb5_cc_start_seq_get(). Do not display a modal error dialog if this
happens.

https://github.com/krb5/krb5/commit/3208e88cae1c5b3c3f0477e64565764118df6316
Author: Greg Hudson <ghudson@mit.edu>
Commit: 3208e88cae1c5b3c3f0477e64565764118df6316
Branch: master
src/windows/leash/KrbListTickets.cpp | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Suppress krb5_cc_start_seq_get() popups in Leash

Under some circumstances (perhaps related to a February Windows 10
update), Leash can get past the krb5_cc_get_principal() step when
processing an empty MSLSA ccache, and get a KRB5_CC_NOMATCH error from
krb5_cc_start_seq_get(). Do not display a modal error dialog if this
happens.

(cherry picked from commit 3208e88cae1c5b3c3f0477e64565764118df6316)

https://github.com/krb5/krb5/commit/0d822a48ce8b187961b61dab86612d919105ebdc
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0d822a48ce8b187961b61dab86612d919105ebdc
Branch: krb5-1.17
src/windows/leash/KrbListTickets.cpp | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)