Skip navigation

Can't authenticate with Kerberised services.

8596 Views 16 Replies Latest reply: Jun 10, 2013 1:07 AM by Paul Verity RSS
1 2 Previous Next
Paul Verity Level 1 Level 1 (15 points)
Currently Being Moderated
Feb 29, 2012 2:33 PM



When I log in to Lion (client 10.7.3) I don't get any tickets. When I run kinit and enter my password I get a ticket. I then try and connect to my Mac Mini (running Lion Server 10.7.3) via the Finder but it fails to connect without me having to manually enter the password for my account. I'm not able to authenticate to services like Mail using Kerberos either.


There are a few lines in the Kerberos log file that state the following (some items renamed):


2012-02-29T21:27:28 TGS-REQ foo@SERVER.EXAMPLE.CO.UK from for afpserver/server-example-co-uk.local@SERVER.EXAMPLE.CO.UK [canonicalize]

2012-02-29T21:27:29 Searching referral for server-example-co-uk.local

2012-02-29T21:27:29 Server not found in database: krbtgt/LOCAL@SERVER.EXAMPLE.CO.UK: no such entry found in hdb

2012-02-29T21:27:29 Failed building TGS-REP to


I've noticed that I have no /etc/krb5.conf config file, but this might be normal - I'm guessing Apple might have moved some configuration somewhere else. I tried setting up my DNS with the Kerberos service records. changeip -checkhostname all looks good.


The only odd thing I can see is that it looks like it's trying to look for "afpserver/server-example-co-uk.local@SERVER.EXAMPLE.CO.UK" which indeed does not exist in the keytab file. However, "afpserver/" does exist.


Could this be the problem? Where is the .local suffix coming from? And why are the periods being replaced with hyphens in the hostname?


Any other ideas or suggestions?


Thanks in advance!

  • gpw_wmbg Calculating status...
    Currently Being Moderated
    Mar 4, 2012 6:04 AM (in response to Paul Verity)

    I have the exact same issue happening.

  • RayfromMD Calculating status...
    Currently Being Moderated
    Mar 5, 2012 8:57 AM (in response to gpw_wmbg)

    This may be a service ACL issue - See my ticket which was just resolved by AppleCare.



    It turns out one of the latest Apple updates turned on Service ACL's which caused AFP connections to be blocked. Once I fixed the Service ACL in Server Admin... all connections and Single Sign On worked.

  • cherybeth Calculating status...
    Currently Being Moderated
    Mar 12, 2012 7:53 AM (in response to RayfromMD)

    Please give more specific information as to how you recitfied the ACL service. I just don't see where I have any options to adjust this in Server admin. Thank you.

  • Newbie-2-macs Level 1 Level 1 (15 points)
    Currently Being Moderated
    Mar 13, 2012 4:27 AM (in response to Paul Verity)

    Is this a new setup or has it worked before. It looks to me like the kerberos realm is a bit messed up. There was a command tht could be run to re-kerberise an Open Directory. I will see if I can recall what it was.

  • Newbie-2-macs Level 1 Level 1 (15 points)
    Currently Being Moderated
    Mar 13, 2012 4:34 AM (in response to Newbie-2-macs)

    You could try the information in this article. Note: This is for 10.5. I am assuming that the commands still work the same in Lion Server. If this is a production server do so at you rown risk.


  • Newbie-2-macs Level 1 Level 1 (15 points)
    Currently Being Moderated
    Mar 18, 2012 2:27 AM (in response to Paul Verity)

    In 10.5 apple introduced local KDC for each individual machine. Each LKDC is unique for every client on a network. When clients are imaged the LKDC should have a new hash key generated using a command that I forget a t the moment.  But these are what you are seeing. Server 10.6 had LKDC entries for AFP and for some other services when the Klist -kit command was run.


    If possible you may wish to re-build the OD but having played with lion server for a while it doesn't look like you can demote the server to a stand alone server using the You may be able to use server admin to do this. However hill lose all stored Kerberos information password database and ldap information as well as any users created and prefereences managed with WGM.


    If the process is the same as 10.6 you should then be able to remove the krb file for the domain you had set up. When the server get promoted back to OD master the server should use a default file and re-create the krb file again.


    You may want to check this info though as I am just going through what I would do on an 10.6 server, and I havent done this in a long time.

  • tcpudp Level 1 Level 1 (20 points)
    Currently Being Moderated
    Jul 15, 2012 2:08 PM (in response to Paul Verity)

    I'm having exactly the same issue...please let me know if you've made any progress...

1 2 Previous Next


More Like This

  • Retrieving data ...

Bookmarked By (2)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.