I run a Linux environment that's setup in an MIT Kerberos Realm. That realm has a one way trust setup that allows tickets for Active Directory principals (from Windows 7 clients) to be accepted as authentication (for SSH and ODBC for Hadoop/Hive). I'm having two problems.
The first problem I'm having is that Windows 7 users using Kerberos for Windows 4.01 do not seem to be able to use their AD ticket in the MSLSA cache. If I set KRB5CCNAME to a file and obtain an AD ticket independently of MSLSA everything works fine. With KRB5CCNAME set to MSLSA: it does not work. I did find a note about setting AllowTGTSessionKey to 1, but that's already been done (and rebooted). Is there a way to use the AD tickets stored in MSLSA using MIT KfW? I assumed it was possible looking at the release notes where it says "Integration with the Windows LSA credentials cache", but maybe that's not the case. I'm also experiencing a problem where (using either MSLSA: or a file for the CC) I can renew tickets just fine from a cmd window using '"kinit -R", but the MIT Kerberos.exe sys tray tool crashes when it tries to renew. I get the following in event viewer: > Faulting application name: MIT Kerberos.exe, version: 4.0.1.2, time stamp: > 0x50c22fb6 > Faulting module name: MSVCR100.dll, version: 10.0.40219.325, time stamp: > 0x4df2bcac > Exception code: 0xc0000005 > Fault offset: 0x000000000003c560 > Faulting process id: 0x1828 > Faulting application start time: 0x01d05782975e269d > Faulting application path: C:\Program Files\MIT\Kerberos\bin\MIT > Kerberos.exe > Faulting module path: C:\Windows\system32\MSVCR100.dll > Report Id: 631e69e6-c3c7-11e4-92c0-180373cb2112 The exception code points to some kind of access issue, but I can't seem to see what it is. Watching it with Process Monitor wasn't very interesting, but I'm not an expert. If I run "MIT Kerberos.exe" -renew it gives the message "There was an error renewing tickets!". Thanks, Chris ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
