another try with Kerberos

Question

Level 3

535 points

another try with Kerberos

Hi all,
I'm trying to get kerberos on POP to work and have been unsuccessful under Server 10.5.1. DNS appears ok and I can get a ticket for diradmin which shows up in the kerberos server log. But I can't seem to get Mail.app (2.1) to log in and retrieve mail. I get a login window asking for my kerberos password and showing the realm in lower case. If I select the uppercase realm name and give it my password I receive a "Can't send request (send tokdc)".
On the Kerberos server log I see AS_REQ to user@domain followed by a TGS_REQ and another TGS_REQ and then a string of
krb5kdc: Invalid message type - while dispatching (udp)

I have ports 88 and 749 open on the AEBS (802.1g). Does this indicate the airport is not forwarding the traffic? Or is it something else?

I configured the edu.mit.Kerberos and managed to finally see a request come over. But nothing else.

I am new to this stuff and reading as fast as I can to catch up, but sometimes it feels like I'm sliding down the walls of a well.

Your help with getting this on track would be appreciated.
Thanks a bunch,
Harry

mini 1.83 core 2 duo 2GB RAM + 500GB ext drive, Mac OS X (10.5.1), iMac G5, PB G4 (3)

Posted on Dec 19, 2007 2:22 PM

Reply

Answer 1

harry-pmsi Author

Level 3

535 points

Dec 19, 2007 5:49 PM in response to harry-pmsi

Hi again,
I read the http://web.mit.edu/macdev/KfM/Common/Documentation/preferences-osx-10.2.html looking to see if the mit string_tokey line was causing my invalid message. Since I only have Kerberos 5 running I took the advice to delete the v4 entries in the preferences file.
Now I can generate tickets for different users in the LDAP directory from a public internet access point by using the Kerberos.app in /System/Library/CoreServices.

However, even though I have a ticket open and running, Mail.app can't log into the POP account with Kerberos. The message now says, unknown user. I tried username, username@domain and username@server.domain. Upper case doesn't solve the problem either. Port 110 is the designated port for receiving.

What am I missing? If the ticket is open and running on the clock, shouldn't I already have login access since it is single sign on?

Help please.
Harry

Reply

Answer 2

davidh

Level 4

1,896 points

Dec 19, 2007 8:31 PM in response to harry-pmsi

Can you make a Kerberized connection from the same client for an AFP (filesharing) connection ?

Standard troubleshooting would include making a wired connection and taking the Airport out of the loop, for basic A/B comparison.

Also, while there are key concepts in that article that still apply, I'd suggest serious [ ! ] caution before applying anything to do with 10.2, on a 10.5 server. They are completely different animals. Some Kerberos concepts will still apply, but it's important to realize that the differences are great.

As the article you quoted says, "The information on this page applies to Mac OS X 10.2 only. For links to preferences documentation for other Mac OS versions, click here:"
http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html

They have a page for 10.4 & 10.5

Reply

Answer 3

harry-pmsi Author

Level 3

535 points

Dec 19, 2007 9:06 PM in response to davidh

Thanks for the link.

I got to the earlier version while searching for the "mit to_stringkey". The only change I made based on the 10.2 article was to eliminate the v4 material in the edu.mit.Kerberos preference file. this worked by allowing me to connect from the internet to the server and get a ticket. So no other changes were made to this file.

I read the 10.5 article and don't see any more changes to make. It still has a brief reference to the "mit to_stringkey" which is removed.

I think the Airport issue is resolved since I can get a ticket now outside the LAN.

Even though a ticket is granted and the timer is counting, Mail.app says the user is unknown.

Does the admin server have to be pointed to diradmin or remain the server by name? diradmin is my LDAP directory administrator. This is the only named reference to an entity other than my server's name.

Thanks again,
Harry

Reply

Answer 4

harry-pmsi Author

Level 3

535 points

Dec 19, 2007 9:11 PM in response to davidh

In answer to the AFP connection, web, mail and calendar are the only services I have running. I decided to try Kerberos on mail first and ran into my problem.

This is my first foray with establishing a Kerberos connection and I thought mail would be the easiest to try since the server and mail.app seem have setup GUIs for this.

Harry

Reply

Answer 5

davidh

Level 4

1,896 points

Dec 20, 2007 11:27 AM in response to harry-pmsi

Hi. This actually just came on the Apple Mac OS X Server mailing list.

See:
http://lists.apple.com/archives/Macos-x-server/2007/Dec/msg00533.html

Hope that does it for you.
Keep in mind that if NAT's involved, that could easily complicated things (ensure proper port forwarding and be aware of opening those extra ports)

Reply

Answer 6

Dec 20, 2007 11:47 AM in response to harry-pmsi

Harry,

I had the same problem and had been troubleshooting it since the day I installed Leopard Server. I must have reinstalled the system 20 times and spent countless hours trying to figure this out.

Not sure if this will solve your problem , but in my case, the solution was quite a bit simpler than expected. Kerberos on the client (10.5.1) needs to be properly configured, although, nowhere in Apple's documentation is that ever stated. You have to use the kerberos tool found in /System/Library/CoreServices/Kerberos and add in the appropriate information for your kerberos realm.

I found the missing pieces of information here at MIT's kerberos site:

http://web.mit.edu/macdev/KfM/KerberosClients/KerberosApp/Documentation/using-os x.html

Specifically here:

http://web.mit.edu/macdev/KfM/KerberosClients/KerberosApp/Documentation/using-os x.html#realms

So, for example, say you have a realm of MY.HOST.COM, here's what you do:

1) Run the kerberos tool on (each client) at /System/Library/CoreServices/Kerberos
2) Go to the edit menu and select "Edit Realms"
3) Click the + and add your kerberos realm MY.HOST.COM. I have it set to "Display realm in dialpog popup menu"
4) Click the Servers tab and add 3 servers by clicking the + symbol:

Type Server Port
------------------------------------------------
kdc my.host.com 88
admin my.host.com 749
kpasswd my.host.com 464

5) Click the Domains tab and add 2 domains by clicking the + symbol:

Domain
------------
.host.com
host.com

6) Click the OK button and pray 😉

7) Leave the kerberos tool open and attempt to connect to a kerberized service. You should see a ticket show up in the tool. Try connecting to each service you need and you should be able to see tickets get generated for each kerberized service you connect to. You should also be able to renew and destroy tickets as well as change your password.

What I'd like to make very clear is that I couldn't find this information anywhere in Apple's server documentation, knowledgebase, or forums. If you are new to kerberos like I was, this was a major stumbling block.

Once I setup the kerberos client, everything started work

I hope this helps someone else in the future.

Reply

Answer 7

harry-pmsi Author

Level 3

535 points

Dec 20, 2007 12:09 PM in response to weatherbug

Thank you very much for the two of you. I found some of these references last night and got a bit further. Inside the NAT where I can control the DNS, I am now able to generate a ticket for login and a ticket for pop. Kerberos Server log says all is well.

However, no mail access.
Mail Access Log entry
pop3[3336]: badlogin: [10.0.7.2] GSSAPI authentication failure

In Console: All Messages Log entry
12/20/07 3:02:01 PM pop3[3616] GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key version number for principal in key table is incorrect)

I am also able to change my password from the client thanks to your pointing out the kpasswd line. So I think part of this is ok.

But where to go from here.

I listed the krb5kdc.keytab and saw two entries for the changepw server.domain with the three cryptologic systems. But I dont' know which may be a the duplicate of the other.

Some help please. And thanks for the responses so far.

Harry

Reply

Answer 8

davidh

Level 4

1,896 points

Dec 20, 2007 1:12 PM in response to harry-pmsi

Well, the "kpasswd" may have created a problem for you.
Apple's server tools (DirectoryService in 10.5) will keep passwords co-ordinated, and your manual change via keberos may have resulted in that user password being out of sync with other stores.

See http://www.afp548.com/article.php?story=20060714092117916
and
http://www.afp548.com/article.php?story=LeopardServerReview-LocalDirectory

Reply

Answer 9

harry-pmsi Author

Level 3

535 points

Dec 20, 2007 1:22 PM in response to davidh

Sorry for any confusion.

I got the GSSAPI errors prior to getting your post.

I then went off and read the link you provided and also got Weatherbug's post.

Trying to fix the GSSAPI error I inserted the kpasswd line into the edu.mit.Kerberos file, verified that I could regenerate the tickets for myself and pop, that I could in fact change the password through the Kerberos app and all was ok. Except nothing changed with mail.app access.

Still getting the GSSAPI error (Key version number for principal in key table is incorrect). I'm stumped.

In the meantime I put in an order for my ISP to reroute the reverse DNS pointer so it comes back to my server.domain instead of domain. In the Kerberos Server log there was a complaint of Unknown Server with pop/domain@server.domain. As soon as I tried the inside net everything on that end cleared up just leaving me with the GSSAPI problem.

Harry

Reply

Answer 10

harry-pmsi Author

Level 3

535 points

Dec 20, 2007 2:23 PM in response to harry-pmsi

Hi,
I followed up on David's question regarding AFP. I started the service requiring Kerberos login.
An afp ticket was generated along with pop and login tickets. However I get the following msg on the client screen:
"Connection failed - Unknown user, incorrect password, or login is disabled. Please retype the name and password or contact the server's administrator." Funny thing is that no dialog box opens to and there is nowhere to enter the username and password.

On the Kerberos server log the ticket is generated as a TGS_REQ to afpserver/server.domain@server.domain

In the afp access log there is a login by user and an immediate logout of user 5823 0 0.

And in Console All Message log I get the same GSSAPI Error Unspecified GSS failure. Minor code may provide more information (key version number for principal in key table is incorrect).

When I look at the ticket in Kerberos app it says
Principal: user@server.domain
Service: afpserver/server.domain@server.domain
Version: Kerberos v5
Status: Valid
and the encryption type was Triple DES cbc mode with HMAC/sha1.

Can you see the disconnect here?

Thanks for all the help,
Harry

Reply

Answer 11

harry-pmsi Author

Level 3

535 points

Dec 20, 2007 6:56 PM in response to harry-pmsi

Any ideas on why the service ticket is generated but the service isn't responding to the user authenticated by Kerberos. It is as if the authentication isn't handed off properly.

I am agreeing with Weatherbug - this Kerberos stuff is very convoluted and not documented at all. The Open Directory Administration 10.5 basically says promoting Open Directory to Master with a correctly set up DNS will put Kerberos in place. Are they joking?
Not only does the service Kerberosization need coaxing but it completely leaves out the work needed on the client side.

Each of the Admin guides is over 300 pages. I think they wasted alot of pages and didn't get the message across.

I'm quickly losing confidence that you can build up Leopard server into a solid system. Because increasing the service complexity runs the risk of breaking what is already running.

Your help is appreciated deeply. Thanks for taking the time to educate me and hopefully leave a trail for others to follow.
Harry

Reply

Answer 12

Dec 22, 2007 3:51 AM in response to harry-pmsi

Hi

On the server issue:

sudo kadmin.local -q list_principals

It should list all principals valid for the Kerberos Realm, eg: Users, Services, Realms etc. Verify that the user who has trouble authenticating is listed. I know you have probably done this already but I’ll ask anyway, has mail been enabled for users in WorkGroup Manager? Did you tick the Secure Sockets Layer option when binding clients to the OD Master? If you did, scrub the settings and rebind but this time don’t select SSL.

Please ignore if you have already tried these suggestions.

Hope this helps, Tony

Reply

Answer 13

harry-pmsi Author

Level 3

535 points

Dec 22, 2007 9:42 AM in response to Antonio Rocco

Thanks Tony for the hints.

I tried all manner of listing (everything was there) and then recreating the Kerberos files and starting over with kerberosautoconfig to kdcsetup. All I managed to do was get stopped at every turn with segmentation fault. Whatever that means.

I archived the open directory went back to standalone and then promoted to open directory master again. The kerberos realm came up and now I get a Kerberize button (never had that before) but the login won't recognize the root/ diradmin or server admin. I'm screwed.

To fix an add on feature (Kerberos authentication to mail) I'm now going to have to reinstall (again) and then re permission the wiki/blog stuff to the new users uid and go from there.

This has wasted a month of effort. What's worse is that command line tools don't seem to be able to get out of jams as easily as the documentation would indicate. They tell you there's a problem but not how to fix them.

Thanks for all the help, I've learned a lot on this try.

Harry

Reply