Kerberos Returns: "Client not found on Kerberos database"

Question

Level 1

0 points

Kerberos Returns: "Client not found on Kerberos database"

I have two Xserves (PPC). One does router chores. The other does AFP and Open Directory. I have been upgrading to Leopard in two phases. The first was the Router (NAT, DNS, DHCP, Mail pending Kerio setup, Firewall, VPN). That went great. All beautiful and good. However, I've not been able to get Kerberos to work on Tiger AFP since Security Update last March. I could get a ticket but it wouldn't allow me to mount the share point. This was a known error and I guess never got fixed in Tigerland.

I got my second Xserve running this week. I imported my OD as directed and it all went together quite beautifully. Mail is drawing from the OD and AFP is drawing from the OD each on separate servers. But when I tried to move AFP to Kerberos only (as in the old days of 2008) I can't get a ticket. I get this message:

Kerberos Login Failed: Client not found on Kerberos database." I ran a terminal command suggested elsewhere (serveradmin settings afp:kerberosPrincipal=afpserver/server.yourserver.com@SERVER.YOURSERVER.COM
) but that made no difference.

DNS is fine. I can get and receive email on my server, it returns the correct forward and back. That was taken care of two months ago when I fired up the Router (DNS) server. When I run the log I get many repetitions of this:

Jun 14 20:59:12 myserver.ftimidwest.com krb5kdc[122](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.7.6: CLIENT NOTFOUND: wescrenshaw@MYSERVER.FTIMIDWEST.COM for krbtgt/MYSERVER.FTIMIDWEST.COM@MYSERVER.FTIMIDWEST.COM, Client not found in Kerberos database.

So I'm kind of stuck here. Any help would be appreciated. If it's helpful to have another log let me know.

Thanks in advance.

XServe G5 Dual 2.3 5gb Ram & G4 Single 1.3 2gb, Mac OS X (10.4.5), A whole network....

Posted on Jun 14, 2009 7:13 PM

Reply

Answer 1

wescrenshaw Author

Level 1

0 points

Jul 8, 2009 2:53 PM in response to wescrenshaw

Apparently I asked a really obscure question. I searched the bejabbers out of Google and finally came up with this article:

http://www.afp548.com/forum/print.php?id=7537.

It is unclear to me why this was a problem but it is as I suspected. Something wasn't allowing Kerberos to see the OD entries after my upgrade. The only solution appeared to be (and was) to demote OD to standalone. Reboot and then manually renter the data. Then rebind the other servers to the OD (almost forgot that step!). This was not as a catastrophic for me with 15 entries as it was for the poor guy in the above article who had 300 entries. I would weep.

That has resulted in me being able to get a ticket. Unfortunately now I can't get that ticket to allow me access to AFP (set to Kerberos) or on Mail. I'll have to search that one out on the forum.

Reply

Answer 2

jaydisc

Level 4

1,464 points

Jul 8, 2009 10:39 PM in response to wescrenshaw

Sometimes it pays to remove the service principals from the keytab, delete the principals, re-create the principals and then re-add them to the keytab. See what's in the keytab already with :

klist -k

Assuming the service prinicipal you need to reset is afpserver/server.yourserver.com@SERVER.YOURSERVER.COM, launch kadmin.local as root and execute:

ktrem afpserver/server.yourserver.com@SERVER.YOURSERVER.COM

delprinc afpserver/server.yourserver.com@SERVER.YOURSERVER.COM

ank -randkey afpserver/server.yourserver.com@SERVER.YOURSERVER.COM

ktadd afpserver/server.yourserver.com@SERVER.YOURSERVER.COM

Reply

Answer 3

wescrenshaw Author

Level 1

0 points

Jul 15, 2009 4:03 PM in response to jaydisc

klist -k returns

Keytab name: FILE:/etc/krb5.keytab

I will wait to run your suggested routines until the weekend when I can have the system tied up and can be sure I have a back up before I run it. HOWEVER, you are a little over my head. I know how to log into root and run terminal commands (well enough) but are you saying I first launch kadmin.local as a command and then run each of these at it's prompt? When I tried to do that WITHOUT logging into ROOT it denied me. So I assume that will work when I do log into ROOT. I apologize but terminal is not second nature to me yet and I don't recall doing that before.

THANKS THANKS THANKS. I do appreciate your help. Perhaps this is it. I can't find any other listings to help me. The ticket is there just fine but it won't open anything (mail either). Password server works fine. Just not Kerberos. Give me this one clarification and I'll see what I can figure out.

Reply

Answer 4

wescrenshaw Author

Level 1

0 points

Jul 15, 2009 4:04 PM in response to wescrenshaw

ONE MORE THING: I am now assuming I have to log into ROOT in order to even run klist -k and get a return. I see that it should actually give me more than that. Correct?

Reply

Answer 5

jaydisc

Level 4

1,464 points

Jul 15, 2009 4:44 PM in response to wescrenshaw

Sorry, all of the above commands expects you to be running as root. However, you don't have to login to your Mac as root to do this. The recommended option is to simply prefix each command with sudo, e.g.:

sudo klist -k

This will only work if you are an admin user. You can also switch yourself to root ONLY in Terminal (no need to logout/login of the Mac) with:

sudo su

After doing that, you can confirm you are root with:

whoami

Simply type "exit" to return to yourself when you are done.

Now, kadmin.local is an interactive program, so once you have launched it with:

sudo kadmin.local

You will be put at a prompt for you to run the other commands, e.g. ktrem, ank, etc. Once you are in kadmin.local, there is no need to continue using the sudo command. It will not understand it.

Reply

Answer 6

wescrenshaw Author

Level 1

0 points

Jul 15, 2009 6:17 PM in response to jaydisc

sudo klist -k returns a long printout. Is there any reason that posting it would expose a security risk to the internal server? Better safe than sorry.

Reply

Answer 7

Jul 15, 2009 6:25 PM in response to wescrenshaw

The output of 'klist -k' outputs a list of all the Kerberized services on the server. If you do, 'klist -ke', it will list the authentication methods for each Kerberized service. If you wish to post the output without revealing hostnames and realms, copy and paste the output into a plain-text editor, then do a search and replace on the hostnames and realms to 'sanitize' it, then post it here.

Reply

Answer 8

jaydisc

Level 4

1,464 points

Jul 15, 2009 7:09 PM in response to wescrenshaw

There's really no need to post it. You should have three similar entries that start with afpserver, e.g.

apfserver/server.name.net@REALM.NAME.NET

It is these that you want to remove (ktrem), delete (delprinc), create (ank), and add (ktadd). Note that you only need to do each step once, not three times.

It is also important that when you get to the create step (ank), that you make sure the server name part matches the fully qualified domain name that you will be using to connect to your AFP server.

Lastly, once this is all done, make double sure that AFP is set to use this principle with:

sudo serveradmin settings afp:kerberosPrincipal = " afpserver/best.server.name.net@REALM.NET "

And then restart AFP

Reply

Answer 9

wescrenshaw Author

Level 1

0 points

Jul 16, 2009 11:16 AM in response to jaydisc

I'll give this the run through over the weekend and post my result. Thanks again!

Reply

Answer 10

wescrenshaw Author

Level 1

0 points

Jul 18, 2009 1:48 PM in response to wescrenshaw

Still no love on this end. The terminal commands went just as described. The only thing I wondered about when I got done was whether I was supposed to have AFP stopped while I was doing this b/c it suggested a restart at the end. I did a full server restart even. If I missed the step to shut AFP down first, let me know. Otherwise the routines responded predictably. The ank -randkey command did return a comment about not having set something -- perhaps an identity, though I can't recall exactly what it said and I forgot to save it. But it appeared like something routine and the ktadd command went through fine.

Unfortunately, things behave exactly as before. Ticket is created but when AFP is set to Kerberos instead of Any Method it won't let me log in. It throws up the password server screen and then denies access. Great ideas. Made sense. Still not there.

Reply

Answer 11

jaydisc

Level 4

1,464 points

Jul 18, 2009 6:59 PM in response to wescrenshaw

That's OK. There's a few things we have to go through. Your Keytab and principals should be in fine shape now. The message you probably saw when using the ank command was "WARNING: no policy specified for service/the.server.net@REALM.NET; defaulting to no policy". This is expected.

Performing these tasks while the AFP server was running should also have not been a problem.

So, on to the next few things:

1. The method you are using to connect
Are you using the Finder's Connect to Server command or the sidebar? You will not be able to use the sidebar for Kerberos connections, and you must type the exact hostname in the Connect to Server dialog that you specified in the principal. Have you done this?

2. Checking your Kerberos preferences on the client.
You can either look directly at /Library/Preferences/edu.mit.Kerberos or "Edit Realms" in the Kerberos application (/System/Library/CoreServices)

A. Is your Realm defined?
B. Are the correct servers listed under the servers tab?
C. Is the domain name you are using match what is listed in the domains tab?

Reply