[krbdev.mit.edu #8790] Leash krb5_cc_start_seq_get error popups

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #8790] Leash krb5_cc_start_seq_get error popups

Greg Hudson via RT-2
Two users at MIT have reported nuisance Leash modal error dialogs
while running Leash (aka MIT Kerberos Ticket Manager) on Windows.  In
both cases the errors started happening after a Windows 10 update in
mid-February.  The error dialogs say:

    Matching credential not found (Kerberos error -1765328243)
    krb5_cc_start_seq_get failed

The errors do not seem to impede the operation of the app that needs
tickets (SAPgui in both cases), except that the error popups happen
repeatedly and steal focus.  I have advised the users to fully exit
the ticket manager after acquiring tickets, which I hope will work
around the most annoying aspect of the problem.

>From code inspection, I believe the error occurs when Leash tries to
update its ticket display.  Leash iterates over the ccache
collection, reaches the LSA ccache, and tries to iterate over the
creds in that ccache.  krb5_start_seq_get() returns KRB5_CC_NOTFOUND
and the error pops up (KrbListTickets.cpp:do_ccache() line 223).  
Normally when the LSA ccache is empty, a prior call to
krb5_cc_get_principal() would fail (line 212) and in that case the
error dialog is suppressed.

Ideally I will get confirmation that the circumstances surrounding
the error are as I suspect (specifically that the users have an API
default ccache and the LSA ccache is empty), account for the
difference in Windows behavior which causes krb5_cc_get_principal()
to succeed on an empty ccache when it used to fail, and then patch
the problem.  But since I cannot personally reproduce the error,
there is a good chance I will simply patch Leash to suppress errors
when krb5_cc_start_seq_get() fails.

krb5-bugs mailing list
[hidden email]