1 Reply Latest reply: Jan 31, 2011 11:53 AM by Joe Swenson
Joe Swenson Level 3 (735 points)
How can I diagnose auth issues with FCS?

No matter what I do I get "There was a problem with kerberos authentication" errors.

The host server is bound to AD, and I can authenticate to other services using kerberos. AD groups have rights in FCS preferences.

I followed these instructions: http://support.apple.com/kb/HT3818

But I can't get it to auth.

I ran
./adprincadd.pl -dc DV-STAFF-DC.MSB.PRIV fcsvr/BV-XSERVE1.MSB.PRIV
Getting kerberos principal for computer account
Kerberos principal is bv-xserve1$@MSB.PRIV
Getting computer id...bv-xserve1
Getting AD Domain...msb.priv
Base DN is dc=msb,dc=priv
getting kerb ticket using bv-xserve1$@MSB.PRIV...Successfully got ticket
SASL-bind to DV-STAFF-DC.MSB.PRIV successful
Computer record is at CN=bv-xserve1,OU=Servers,DC=msb,DC=priv
Checking to see if fcsvr/bv-xserve1.msb.priv exists...yes!
Note! Service principal fcsvr/bv-xserve1.msb.priv already exists in CN=bv-xserve1,OU=Servers,DC=msb,DC=priv. Skipping creation in AD.
Finding kvno...2
Reading /etc/krb5.keytab...done.
Creating new keytab file...done.
Writing out temporary keytab...done.
Making backup of old keytab and moving new keytab into place...done.
Operation Completed. You can verify with "kinit <ad user>; kvno -k /etc/krb5.keytab fcsvr/bv-xserve1.msb.priv"

then went to check it with

kinit joeswenson; kvno -k /etc/krb5.keytab fcsvr/bv-xserve1.msb.priv
Please enter the password for joeswenson@MSB.PRIV:
fcsvr/bv-xserve1.msb.priv@MSB.PRIV: kvno = 2, keytab entry invalid
kvno: Permission denied while decrypting ticket for 'fcsvr/bv-xserve1.msb.priv@MSB.PRIV'

I tried enabling DES encryption on my test account and it did nothing to help.