On 3/14/2010 12:14 PM, Jeff Blaine wrote: >> the MIT klist.exe tells you. > > > Yes, but it won't say anything useful when one has no creds > because the VPN session is dying before that :) > > I meant, "how do I determine what it *would* try to use?"
Funny thing. When I have no credentials and run klist.exe, it tells me which cache it cannot find any credentials within. [C:\src\openafs\openafs.git\repo\src\WINNT]"\Program Files\mit\Kerberos\bin\klist.exe" klist.exe: No credentials cache found (ticket cache API:[email protected]) > > > As for krb5.ini, there is no 'master_kdc' setting. I've > never heard of it and don't see that in the MIT Kerberos > documentation for krb5.conf (?) > Another funny thing. When I look at the docs for MIT Kerberos I find http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6/doc/krb5-admin.html#realms%20%28krb5.conf%29 [realms] *master_kdc* Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user's password has just been changed, and the updated database has not been propagated to the slave servers yet. (We don't currently check whether the KDC from which the initial response came is on the master KDC list. That may be fixed in the future.) > Here it is: > > [libdefaults] > default_realm = RCF.OUR.ORG > forwardable = yes > ticket_lifetime = 1d > renew_lifetime = 2d > dns_lookup_realm = no > dns_lookup_kdc = no > > [appdefaults] > forwardable = yes > > [domain_realm] > .our.org = RCF.OUR.ORG > > [realms] > RCF.OUR.ORG = { > kdc = kdc1.our.org > kdc = kdc2.our.org > kdc = kdc3.our.org > admin_server = kdc1.our.org > } > > [logging] > kdc = FILE:/var/adm/krb5kdc.log > admin_server = FILE:/var/adm/kadmin.log > default = FILE:/var/adm/krb5lib.log If you add a master_kdc=kdc1.our.org you should find that the DNS SRV queries for _master_kdc._udp.RCF.OUR.ORG are no longer being issued. > > I'm downloading the Windows Driver Development Kit 620MB ISO > which is where the "Debugging Tools for Windows" now exist > apparently. You do not have to have the most bleeding edge version. One of the standalone installs would work just fine. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
