FCS auth problem
How can I diagnose auth issues with FCS?
No matter what I do I get "There was a problem with kerberos authentication" errors.
The host server is bound to AD, and I can authenticate to other services using kerberos. AD groups have rights in FCS preferences.
I followed these instructions: http://support.apple.com/kb/HT3818
But I can't get it to auth.
I ran
-------------
./adprincadd.pl -dc DV-STAFF-DC.MSB.PRIV fcsvr/BV-XSERVE1.MSB.PRIV
Getting kerberos principal for computer account
Kerberos principal is bv-xserve1$@MSB.PRIV
Getting computer id...bv-xserve1
Getting AD Domain...msb.priv
Base DN is dc=msb,dc=priv
getting kerb ticket using bv-xserve1$@MSB.PRIV...Successfully got ticket
SASL-bind to DV-STAFF-DC.MSB.PRIV successful
Computer record is at CN=bv-xserve1,OU=Servers,DC=msb,DC=priv
Checking to see if fcsvr/bv-xserve1.msb.priv exists...yes!
Note! Service principal fcsvr/bv-xserve1.msb.priv already exists in CN=bv-xserve1,OU=Servers,DC=msb,DC=priv. Skipping creation in AD.
Finding kvno...2
Reading /etc/krb5.keytab...done.
Creating new keytab file...done.
Writing out temporary keytab...done.
Making backup of old keytab and moving new keytab into place...done.
Operation Completed. You can verify with "kinit <ad user>; kvno -k /etc/krb5.keytab fcsvr/bv-xserve1.msb.priv"
--------
then went to check it with
--------
kinit joeswenson; kvno -k /etc/krb5.keytab fcsvr/bv-xserve1.msb.priv
Please enter the password for joeswenson@MSB.PRIV:
fcsvr/bv-xserve1.msb.priv@MSB.PRIV: kvno = 2, keytab entry invalid
kvno: Permission denied while decrypting ticket for 'fcsvr/bv-xserve1.msb.priv@MSB.PRIV'
I tried enabling DES encryption on my test account and it did nothing to help.
No matter what I do I get "There was a problem with kerberos authentication" errors.
The host server is bound to AD, and I can authenticate to other services using kerberos. AD groups have rights in FCS preferences.
I followed these instructions: http://support.apple.com/kb/HT3818
But I can't get it to auth.
I ran
-------------
./adprincadd.pl -dc DV-STAFF-DC.MSB.PRIV fcsvr/BV-XSERVE1.MSB.PRIV
Getting kerberos principal for computer account
Kerberos principal is bv-xserve1$@MSB.PRIV
Getting computer id...bv-xserve1
Getting AD Domain...msb.priv
Base DN is dc=msb,dc=priv
getting kerb ticket using bv-xserve1$@MSB.PRIV...Successfully got ticket
SASL-bind to DV-STAFF-DC.MSB.PRIV successful
Computer record is at CN=bv-xserve1,OU=Servers,DC=msb,DC=priv
Checking to see if fcsvr/bv-xserve1.msb.priv exists...yes!
Note! Service principal fcsvr/bv-xserve1.msb.priv already exists in CN=bv-xserve1,OU=Servers,DC=msb,DC=priv. Skipping creation in AD.
Finding kvno...2
Reading /etc/krb5.keytab...done.
Creating new keytab file...done.
Writing out temporary keytab...done.
Making backup of old keytab and moving new keytab into place...done.
Operation Completed. You can verify with "kinit <ad user>; kvno -k /etc/krb5.keytab fcsvr/bv-xserve1.msb.priv"
--------
then went to check it with
--------
kinit joeswenson; kvno -k /etc/krb5.keytab fcsvr/bv-xserve1.msb.priv
Please enter the password for joeswenson@MSB.PRIV:
fcsvr/bv-xserve1.msb.priv@MSB.PRIV: kvno = 2, keytab entry invalid
kvno: Permission denied while decrypting ticket for 'fcsvr/bv-xserve1.msb.priv@MSB.PRIV'
I tried enabling DES encryption on my test account and it did nothing to help.