1 2 Previous Next 16 Replies Latest reply: Sep 25, 2012 9:27 PM by ServerBurninator
Kevin Neal Level 2 Level 2 (480 points)

I have a fresh install of Lion that did have Kerberos functioning properly but I've noticed recently a lot of clients are regularly unable to connect to iChat when they log in, with an error message that says the server doesn't support Kerberos, while other clients connect to iChat with no problems

 

I have looked in Core Services > Ticket Viewer and can see that on the clients with the connection problem there is a ticket with the user name but the incorrect realm @WELLKNOWN:COM.APPLE.LKDC and it has expired in 1970!!

 

If I delete this ticket and add a new one the correct realm is shown and iChat connects properly, but on next log in the incorrect ticket will be back!

  • 1. Re: Kerberos Ticket expired on login
    tcpudp Level 1 Level 1 (20 points)

    Having exactly the same issue. How can default a kerberos principle and make it persistent after reboot?

  • 2. Re: Kerberos Ticket expired on login
    Kevin Neal Level 2 Level 2 (480 points)

    glad its not just me, I'm currently trying to do a fresh set up of Mountain Lion Server to see if this is any better then lion, though I don't feel ML server is quite ready for full time use yet

  • 3. Re: Kerberos Ticket expired on login
    tcpudp Level 1 Level 1 (20 points)

    Already done. Didn't help!

  • 4. Re: Kerberos Ticket expired on login
    tcpudp Level 1 Level 1 (20 points)

    Hope this helps visualising the problem:

     

    Screen Shot 2012-08-09 at 3.03.31 PM.png

     

    What we want is that the system would default the first ticket upon login which is the correct one.

  • 5. Re: Kerberos Ticket expired on login
    Rambling Man Level 1 Level 1 (35 points)

    I'm having the same problem but with afp and can now reliably repeat the creation of the 'wellknown' ticket.

     

    On the client

     

    1. Delete all identities in Ticket views

    2. Go to finder and click on my server from a local folder - this will generate the '@WELLKNOWN:COM.APPLE.LKDC' ticket every time.

    3. Finder hangs for a few moments and then shows the shared directories (I'm guessing not using kerberos)

     

    I think the issue with afp is to do with using .local rather than the full qualified domain name that the other services are using and this might be a similar problem with iChat.

     

    I was having problems with the mail server and clients authenticating to it but fixed that by clearing out the local KDC (LKDC) on the Client using

     

    1. sudo rm -rf /var/db/krb5kdc

    2. sudo rm -rf /etc/krb5.keytab

    3. sudo rm -rf /Library/Preferences/edu.mit.Kerberos

    4. Bind the Client to the Server again.

     

    I have the server running Mail, Calendar and Contact, and watching the ticket viewer Contacts is very reliable at creating the correct tickets when I start it.

     

    Have you tried setting the correct ticket as 'default' using the button in ticket viewer or deleting all the identities and adding the correct ticket directly in ticket viewer then making it default?  This might help with the reset on re-login.

     

    For reference both the client and server are running 10.8 and were upgraded from 10.7.4.

     

    Hope this helps and if I find anything else useful out I'll post it

  • 6. Re: Kerberos Ticket expired on login
    Kevin Neal Level 2 Level 2 (480 points)

    Thanks for the reply I will give this a go later and report back later. Though just wanted to say I'm using FQDN for everything no .local

     

    But hopefully this will still help

  • 7. Re: Kerberos Ticket expired on login
    Kevin Neal Level 2 Level 2 (480 points)

    out of interest, should setting the realm in WGM managed preferences for  edu.mit.Kerberos make any difference, I've tried managing this preference and leaving it un managed and I can't really see what difference it makes ?

  • 8. Re: Kerberos Ticket expired on login
    tcpudp Level 1 Level 1 (20 points)

    should make no difference if you can make it to work manually under /Library/Preferences then using WGM to push it should do the same job. problem is we can't even get the manual thing to make a difference. this local KDC just keeps coming back whatever i tried.

     

    i've tried to set the correct ticket as a default manually in the Ticket Viewer but didn't survive a logout.

  • 9. Re: Kerberos Ticket expired on login
    Kevin Neal Level 2 Level 2 (480 points)

    I've been having a look around on the server and the only reference to @WELLKNOWN:COM.APPLE.LKDC I can find is in directory utility, in node Local/Default under Kerberos Ticket Granting Ticket.

     

    Not sure if that helps anyone figure out whats going on...

  • 10. Re: Kerberos Ticket expired on login
    Rambling Man Level 1 Level 1 (35 points)

     

    Rambling Man wrote:

     

    I was having problems with the mail server and clients authenticating to it but fixed that by clearing out the local KDC (LKDC) on the Client using

     

    1. sudo rm -rf /var/db/krb5kdc

    2. sudo rm -rf /etc/krb5.keytab

    3. sudo rm -rf /Library/Preferences/edu.mit.Kerberos

    4. Bind the Client to the Server again.

     

     

    Just wanted to update the discussion on the LKDC element of my post.

    I don't believe the LKDC is having any impact on the problem and have reset it by.

     

    1. Ensuring the existing LKDC data is removed
      1. Repeat sudo rm -rf /var/db/krb5kdc
      2. Repeat sudo rm -rf /etc/krb5.keytab
      3. Open Keychain Access and search for 'kdc' then deleting the 3 com.apple.kerberos.kdc items.
    2. Run the command to reinstall the LKDC sudo /usr/libexec/configureLocalKDC this is non-destructive so can be rerun without upsetting anything.
    3. Re Bind the client to the server.

     

    This will reset the LKDC, I tested it by sharing the screen of my server and looked for the long LKDC ticket to appear in Ticket View which it did.

  • 11. Re: Kerberos Ticket expired on login
    Dirk Thannhäuser Level 1 Level 1 (0 points)

    After logging in I just made a

     

    kdestroy

     

    on the command line.

    That destroyd the "WELLKNOWN ..."-Ticket.

    Then looking up the Credentials Cache with

     

    klist

     

    showed the correct krbtgt an realm.

    Unfortunately I have to to this procedure every time I log in.

  • 12. Re: Kerberos Ticket expired on login
    Kevin Neal Level 2 Level 2 (480 points)

    This might help .. not tested yet

    use this on the server

     

    sudo sso_util configure -r REALM_NAME -a diradmin afp

     

    replace REALM_NAME

     

    Restart Server

  • 13. Re: Kerberos Ticket expired on login
    enthusuast Level 1 Level 1 (0 points)

    here 10.7.4 upgraded to 10.8.1.

     

    using mac mini server, dual ethernet, dual domain, portable homes.

    users cant login. There is a window saying that due to an error unable to login.

    '@WELLKNOWN:COM.APPLE.LKDC' ticket every time.

    users that has been before 10.8 upgrade portable home user can login.

    But when desktop opens, the cube transiotion throws u back to login screen. (endless loop, after password) The only way to get "logged" to a staying desktop, was to unbind and login.

     

    i think the afp realm is pointing to the other domain, not sure ..

  • 14. Re: Kerberos Ticket expired on login
    Kevin Neal Level 2 Level 2 (480 points)

    I  was also unable to log in with ML but I've just done afresh client install and it now logs in, tho there is a nasty bug with network homes where opening mail will corrupt your address book and wipe all your contacts

1 2 Previous Next