Skip navigation
This discussion is archived

Kerberos issues w/10.5

3841 Views 3 Replies Latest reply: Jan 30, 2008 3:43 AM by Urs Aregger1 RSS
weatherbug Calculating status...
Currently Being Moderated
Nov 25, 2007 8:34 PM
Has anyone else had difficulty getting kerberos working correctly with 10.5 server?   I have a single 10.5.1 OS X Server that is providing file, mail, jabber, and directory services  to my small company of 9 employees.  The iCal server and network time machine combined with Single Sign On sealed the deal and we ordered an Xserve as soon as 10.5 Server was released.   Installation was pretty painless and before too long I had all of the services up and running.  After a bit of time, I even had the Debian Etch linux boxes authenticating to the OD server.  Once I had all the systems up and running well, I decided to try my hand at kerberos.

Since kerberos was running (Server Admin says it is ) I went through each of the services one by one and set them to allow kerberos authentication.  The first thing I did was fire up the Kerberos app in /System/Library/CoreServices and tried to get a new ticket.  So far so good!!!!  Then I connected to to an AFP share and voila!  Another ticket was generated.  I was on a roll.  Next I reconfigured my iChat client to connect via kerberos.   When I went to connect to the server, I was prompted (again) to accept the self-signed SSL certificate which I accepted.  As soon as I accepted it, it prompted me for it again... and again... and again.  This repeated until I turned off kerberos in the client.  I thought this might be a fluke with ichat, so I went and configured my Mail.app client to use kerberos.  The results were exactly the same for both imap and smtp.  It doesn't connect via kerberos and it complains in an infinite loop about the SSL certificate.  Interestingly enough if you configure the server to not use SSL certificates and try it again, the clients still complain about the non-existent "" certificate.  Very strange indeed.  I tried this with 4 different computers, using the same applications and different user accounts/combinations all with the same results.

Ok, so at this point, I started looking through the server logs, pouring over the discussion boards, to no avail.  Here's an excerpt from kdc.log:

Nov 25 17:25:15 foo.mydomain.com krb5kdc[29436](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::219:e3ff:fee8:12f2: PROCESS_TGS: authtime 0,  <unknown client> for xmpp/foo@FOO.MYDOMAIN.COM, Decrypt integrity check failed

Now, I've reconfigured this box about 20 times by playing with kerberosautoconfig, kdcsetup, and sso_util, so this message is just a slight variant of others I "was" getting.  Other log entries say "xmpp/foo.local@FOO.MYDOMAIN.COM".

Here's my latest /Library/Preferences/slapconfig.log:

############################################################

2007-11-25 15:12:27 -0800 - slapconfig -createldapmasterandadmin
2007-11-25 15:12:28 -0800 - Creating password server slot
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -a -u diradmin -p -q
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -a -u root -p -q
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -a -u foo.mydomain.com$ -p -q
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -setcomputeraccount 0x474a015c6b8b45670000000400000004
2007-11-25 15:12:28 -0800 - Setting SASL realm to <foo.mydomain.com>
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -setrealm foo.mydomain.com
2007-11-25 15:12:29 -0800 - Copied file from /etc/openldap/slapd.conf to /etc/openldap/slapd.conf.backup.
2007-11-25 15:12:31 -0800 - Starting LDAP server (slapd)
2007-11-25 15:12:31 -0800 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=foo,dc=enable-us,dc=com -w **
2007-11-25 15:12:32 -0800 - command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
2007-11-25 15:12:32 -0800 - slaptest command output:
config file testing succeeded
2007-11-25 15:12:32 -0800 - Stopping LDAP server (slapd)
2007-11-25 15:12:32 -0800 - Starting LDAP server (slapd)
2007-11-25 15:12:32 -0800 - command: /usr/bin/ldapmodify -c -x -D uid=root,cn=users,dc=foo,dc=enable-us,dc=com -w **
2007-11-25 15:12:33 -0800 - Stopping LDAP server (slapd)
2007-11-25 15:12:33 -0800 - Starting LDAP server (slapd)
2007-11-25 15:12:33 -0800 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=foo,dc=enable-us,dc=com -w **
2007-11-25 15:12:33 -0800 - Attempting to open /LDAPv3/127.0.0.1 node
2007-11-25 15:12:33 -0800 - Opened /LDAPv3/127.0.0.1 node
2007-11-25 15:12:34 -0800 - Configuring Kerberos server, realm is FOO.MYDOMAIN.COM
2007-11-25 15:12:34 -0800 - Removed directory at path /var/db/krb5kdc.
2007-11-25 15:12:34 -0800 - command: /sbin/kerberosautoconfig -r FOO.MYDOMAIN.COM -m foo.mydomain.com -u -v 1
2007-11-25 15:12:34 -0800 - command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p ** -v 1 FOO.MYDOMAIN.COM
2007-11-25 15:12:37 -0800 - kdcsetup command output:

Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Cannot find primary hostname, falling back to using the first one found
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for diradmin@FOO.MYDOMAIN.COM; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
Adding the new KDC into the KerberosClient config record
Cannot find primary hostname, falling back to using the first one found
Finished
2007-11-25 15:12:37 -0800 - command: /usr/sbin/sso_util configure -x -r FOO.MYDOMAIN.COM -f /LDAPv3/127.0.0.1 -a diradmin -p ** -v 1 all
2007-11-25 15:12:40 -0800 - sso_util command output:
Contacting the directory server
Creating the service list
Cannot find primary hostname, falling back to using the first one found
Creating the service principals
WARNING: no policy specified for cifs/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for ldap/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for xgrid/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for vpn/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for ipp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for xmpp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for XMPP/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for host/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for smtp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for nfs/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for http/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for HTTP/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for pop/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for imap/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for ftp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for afpserver/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
Creating the keytab file
Configuring services
WriteSetupFile: setup file path = /temp.RFrY/setup
2007-11-25 15:12:40 -0800 - command: /sbin/kerberosautoconfig -f /LDAPv3/127.0.0.1 -u -v 1
2007-11-25 15:12:40 -0800 - command: /usr/sbin/mkpassdb -kerberize
2007-11-25 15:12:40 -0800 - mkpassdb command output:
WARNING: no policy specified for foo.mydomain.com$@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for root@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for diradmin@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "diradmin@FOO.MYDOMAIN.COM".
WARNING: no policy specified for disabled-slot-0x1@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for foo.mydomain.com$@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "foo.mydomain.com$@FOO.MYDOMAIN.COM".
WARNING: no policy specified for root@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "root@FOO.MYDOMAIN.COM".
WARNING: no policy specified for diradmin@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "diradmin@FOO.MYDOMAIN.COM".
WARNING: no policy specified for disabled-slot-0x1@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "disabled-slot-0x1@FOO.MYDOMAIN.COM".
2007-11-25 15:12:40 -0800 - command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2007-11-25 15:12:40 -0800 - command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
2007-11-25 15:12:49 -0800 - slapconfig -selfwrite
2007-11-25 15:12:49 -0800 - slapconfig -setldapconfig
2007-11-25 15:12:49 -0800 - command: /usr/sbin/mkpassdb -setreplicationinterval 300 SyncDefault
2007-11-25 15:12:49 -0800 - command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

############################################################

Here's my /Library/Preferences/edu.mit.Kerberos:

FOO.MYDOMAIN.COM = {
admin_server = foo.local
kdc = foo.local
}
[domain_realm]
.local = FOO.MYDOMAIN.COM
local = FOO.MYDOMAIN.COM
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log

############################################################

Something I've noticed is the entries for foo.local although I'm clueless as to how they got there.  When I promote the standalone to OD Master, it defaults to FOO.LOCAL.  I change it to FOO.MYDOMAIN.COM.  The ldap directory is always correct though (dc=foo, dc=enable-us, dc=com).


To recap, I think there's a couple of issues here:

1)  Some kerberos services work (AFP) and others don't (xmpp, smtp, imap)
2)  My kerberos installation is definitely suspect, although why AFP would work and not others is beyond me.

I believe my DNS servers are working correctly and the hostname does resolve to the ip address I have assigned to the server. It works both forward and reverse.  I'm done a lot of different things and tried setting things manually:

############################################################


foo:# slapconfig -kerberize -f diradmin FOO.MYDOMAIN.COM

diradmin's Password: XXXX
Warning: You are bound to another realm, suggest not to kerberize this OD server.
Removed directory at path /var/db/krb5kdc.
command: /sbin/kerberosautoconfig -r FOO.MYDOMAIN.COM -m foo.mydomain.com -u -v 1
command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p ** -v 1 FOO.MYDOMAIN.COM
kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Cannot find primary hostname, falling back to using the first one found
Creating KDC Config File
kdcsetup command failed with status 11
kdcsetup command failed with exit code 11: stdout=(null), error-message=Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Cannot find primary hostname, falling back to using the first one found
Creating KDC Config File

############################################################


What I'm noticing is the error message: "Cannot find primary hostname, falling back to using the first one found".  I don't understand what this message means. It shouldn't be DNS related because the box can certainly resolve it's hostname from DNS, both forward and reverse.


############################################################


After I run this, my edu.mit.Kerberos becomes this:

# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : Self Generated
# generation_id :
[libdefaults]
default_realm = FOO.MYDOMAIN.COM
[realms]
FOO.MYDOMAIN.COM = {
admin_server = foo.mydomain.com
kdc = foo.mydomain.com
}
[domain_realm]
.mydomain.com = FOO.MYDOMAIN.COM
mydomain.com = FOO.MYDOMAIN.COM
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log

############################################################


This actually looks like it should, but things still don't work correctly.


Thanks in advance.

Message was edited by: weatherbug
MacBook Pro, Mac OS X (10.5.1)
  • Morlock Calculating status...
    Currently Being Moderated
    Nov 30, 2007 12:49 PM (in response to weatherbug)
    What is the network topology of your connection to the Internet?
    I ran into exactly what you described when I tried (and failed) to have my server host be on the inside of an AirPort Extreme Base Station (802.11n, but pre-gigE). I had my DNS set up where my server host had correct forward and reverse mappings, as seen by the outside world, by the server itself, and by the inside-the-AEBS-DHCP-and-NAT-managed subnet; but when I went to set up the OD master, I was always hit with your

    Cannot find primary hostname, falling back to first one found

    problem. Eventually I gave up, and bought a second line from my ISP, and now my server sits out there on the big-I Internet. I guess there's a silver lining in that I know that if I can reach it from my original, NAT'd subnet, I will be almost certain [modulo ISP port blocking] to be able to reach it from coffeeshops, libraries, airports, whatever. Still, it's an extra $120/year in ISP charges just to work around what seems to be a bug.

    So how is your server connected to the outside world?
    PB G4 1GHz 17", Mac OS X (10.5.1), SOHO server
  • Urs Aregger1 Calculating status...
    Currently Being Moderated
    Jan 30, 2008 3:43 AM (in response to weatherbug)
    I’m near to this situation.
    I have my Leopard Server running. Everything seems to work fine. I have my clients (10.4.11) running with network home folders. If I do something like

    sudo klist -k | grep afpserver

    I get the answer that kerberos have tickets for that

    3 afpserver/LKDC:SHA1.BA5B742F476AE79129075CCDBB2E4D40D91F82A7@LKDC:SHA1.BA5B742F 476AE79129075CCDBB2E4D40D91F82A7
    3 afpserver/LKDC:SHA1.BA5B742F476AE79129075CCDBB2E4D40D91F82A7@LKDC:SHA1.BA5B742F 476AE79129075CCDBB2E4D40D91F82A7
    3 afpserver/LKDC:SHA1.BA5B742F476AE79129075CCDBB2E4D40D91F82A7@LKDC:SHA1.BA5B742F 476AE79129075CCDBB2E4D40D91F82A7
    3 afpserver/server.asam.private@SERVER.ASAM.PRIVATE
    3 afpserver/server.asam.private@SERVER.ASAM.PRIVATE
    3 afpserver/server.asam.private@SERVER.ASAM.PRIVATE

    But now my problem. I try to enable kerberos authentification as the only possibility on AFP service and then the clients log in as guests without getting a ticket.
    How to enable them to get a kerberos ticket?

    If I enable other authentification on AFP service, it works fine and I can get tickets for example if I launch Mail and it asks for my kerberos password.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.