Lukas Kubin wrote:
Jeffrey Altman wrote:
what operating system? what service pack?
Windows XP (Czech), SP1
There is a known bug in KFW on non-English versions of Windows. Please try the KFW 2.6.4 Beta
available from http://web.mit.edu/kerberos/ which fixes this problem.
can you network trace the machine to see if requests are being sent to the KDC?
Yes. I did the trace the KRB5 communication to KDC. The result was (chronologically):
AS-REQ - client's request for the krbtgt principal TGS-REQ - request for afs service ticket AS-REQ - KERBEROS-KDC-PROBE request for krbtgt AS-REQ - OPENAFS-KDC-PROBE request for krbtgt
The last request got an "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN" error response. Also I noticed each of the requests were send twice one immediately after another.
I noticed that sometimes, when MSLSA was empty, and I tried "kdestroy -c MSLSA:", the command returned error "Internal credentials cache error while destroying cache" and right after that the MSLSA "filled up" somehow, so I could run ms2mit and aklog. But this doesn't work everytime.
The way Microsoft implemented the LSA cache, requested tickets are only stored in the cache if they are not requested with any particular combination of ticket flags or encryption types. It is often the case that tickets will in fact not be cached although they will be returned to the LSA caller. Microsoft will be implementing a new feature in a future release which will allow applications to instruct the cache to store the retrieved ticket even when ticket flags or encryption types are specified. KFW 2.6.4 can auto-detect this feature when it is available and take
advantage of it. However, this feature will not be available for quite sometime as the deadline for both XP SP2 and 2003 SP1 have both
been missed.
2) After login, Leash doesn't acquire K5 tickets. It only gets AFS tokens even if the MSLSA cache is not empty. I can run ms2mit or "leash32 -m" by hand, however I would like Leash to get them during its startup.read the release notes for kfw. you need to set the default realm equal to the windows domain OR set a flag in the registry.
My only realm name is OPF.SLU.CZ and domain name is the same. I set it using "ksetup /setrealm OPF.SLU.CZ". User mapping is set "* *".
The default realm in KRB5.INI must be specified as OPF.SLU.CZ
smime.p7s
Description: S/MIME Cryptographic Signature
