SCS Computing
 Services and Solutions
  links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 » How to… 
 » Accounts & passwords 
 » AFS 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Support lifecycle 
 » Web publishing 
 » Mac support 
 » Linux support 
 » Windows PC support 

Why Use Leash?

Leash is a graphical system-tray tool designed to manage for Kerberos tickets on Microsoft Windows.  Leash is used to obtain Kerberos tickets, change your Kerberos password, and obtain Andrew File System (AFS) tokens./p

Leash combines the functionality of several command line tools a user would use to manage Kerberos functions: kinit, klist, kdestroy, ms2mit, aklog, and passwd or kpasswd. Leash combines all of these functions into one user interface and supports uto-renewal or user notification when tickets are approaching expiration.

There are many ways to execute Leash. In addition to clicking on a Leash shortcut, you can start Leash from the Windows command Prompt or Run... option. Command-line options may be specified. If you run Leash with the options -i or -kinit, it will display the ticket initialization dialog and exit; -m or s2mit or mport will import tickets from the Microsoft Windows logon session (if available) and exit; -d or -destroy will destroy all existing tickets and exit; -r or enew will renew existing Kerberos tickets (if possible) and exit; -a or utoinit will display the ticket initialization dialog if you have no Kerberos tickets.

You may create a shortcut to Leash within your Windows Startup folder (Start Menu->Programs->Startup). A shortcut to Leash32.exe autoinit ensures that Kerberos tickets are available for the use of Kerberized applications throughout your Windows logon session.

If Leash is not executed before using a Kerberized application, the application may prompt you for your password. Some applications, like lpr, never prompt you for a password. These applications simply terminate with a message indicating that you are not authenticated. Before these applications can successfully be used a separate program, such as Leash or kinit, must be used to first authenticate you using Kerberos. 

Leash does not perform a logon in the sense of the Windows Logon Service. A logon service would do more than manage Kerberos tickets. A logon service woul d authenticate you to the local machine, validate access to your local file system and performs additional set-up tasks. These are beyond the scope of Leash. Leash simply allows you to manage Kerberos tickets on behalf of compatible applications and to change your Kerberos password.

Leash Screen Display (Kerberometer and Dash Notification)

The window title contains the name eashfollowed by the current date and time. Below the title are a menu bar; a tool bar (optional); a tree view; and a status bar (optional).

The root of the Leash tree view shows the active user principal name (user@REALM). This entry appears with a "+" icon and a Kerberos icon to its left. Click on this plus icon of a line to expand the branch, displaying a "-" icon. To retract the branch click on the minus sign.

Below user principal, the tree contains ticket categories. Below each ticket category are the current tickets belonging to the group. Each ticket entry contains the current ticket status, the time it was issued, the time it will expire, and the service principal and flags. For Kerberos 5 tickets, encryption types and network address information are listed below each ticket.

The tree updates once per minute. If you need an immediate update of your ticket status, you can either click in the window or the press the Update Display button on the toolbar.

On the right of the status bar is a display of the remaining time of your tickets (both Kerberos 4 and Kerberos 5, as some programs obtain only Kerberos 4 tickets, these are not necessarily the same) in hours, minutes, and seconds. This used to be known as the Kerberometer.  Each ticket is described and represented by an icon of a little ticket. The color of the ticket changes based on its viability:

  • green = normal
  • yellow = tickets are within 15 minutes of expiration
  • red = tickets have expired, or you have no tickets
  • gray = these tickets are not available to you

At 15, 10, and 5 minutes before your Kerberos tickets expire, a screen pops up to warn that your Kerberos tickets will expire soon and to give you the opportunity to renew them. This used to be known as Dash-style notification.

Andrew File System (AFS) tokens information is displayed only on machines that have either OpenAFS for Windows or Transarc AFS 3.6 for Windows.

Leash System Tray Tool

The above was excerpted from the Leash Ticket Manager Help File. To follow hyperlinks listed, open Leash Ticket Manager, select Help\Why Use Leash.