Can't authenticate with Kerberised services.

Question

Level 1

16 points

Can't authenticate with Kerberised services.

Hi,

When I log in to Lion (client 10.7.3) I don't get any tickets. When I run kinit and enter my password I get a ticket. I then try and connect to my Mac Mini (running Lion Server 10.7.3) via the Finder but it fails to connect without me having to manually enter the password for my account. I'm not able to authenticate to services like Mail using Kerberos either.

There are a few lines in the Kerberos log file that state the following (some items renamed):

2012-02-29T21:27:28 TGS-REQ foo@SERVER.EXAMPLE.CO.UK from 192.168.2.3:63650 for afpserver/server-example-co-uk.local@SERVER.EXAMPLE.CO.UK [canonicalize]

2012-02-29T21:27:29 Searching referral for server-example-co-uk.local

2012-02-29T21:27:29 Server not found in database: krbtgt/LOCAL@SERVER.EXAMPLE.CO.UK: no such entry found in hdb

2012-02-29T21:27:29 Failed building TGS-REP to 192.168.2.3:63650

I've noticed that I have no /etc/krb5.conf config file, but this might be normal - I'm guessing Apple might have moved some configuration somewhere else. I tried setting up my DNS with the Kerberos service records. changeip -checkhostname all looks good.

The only odd thing I can see is that it looks like it's trying to look for "afpserver/server-example-co-uk.local@SERVER.EXAMPLE.CO.UK" which indeed does not exist in the keytab file. However, "afpserver/server.example.co.uk@SERVER.EXAMPLE.CO.UK" does exist.

Could this be the problem? Where is the .local suffix coming from? And why are the periods being replaced with hyphens in the hostname?

Any other ideas or suggestions?

Thanks in advance!

Posted on Feb 29, 2012 2:33 PM

Reply

Answer 1

Paul Verity Author

Level 1

16 points

Mar 1, 2012 1:16 PM in response to Paul Verity

Ok, so it turns out I can't access an AFP service via the Finder's sidebar, I have to use the "Connect to Server..." route and type the full hostname. Is this expected? Seems very odd to me.

However, it still leaves me wondering why I don't get a ticket when I log in. User credentials are held in OD on the server, and my login name and password I use logging in to Lion (client) is the same as it is in OD.

Ultimately I'd like a users remote/shared directories on the server to be automatically mounted and visible in the Finder when a user logs in.

If it means anything, /Library/Preferences/edu.mit.Kerberos.kadmind.launchd is empty. Should it be?

Reply

Answer 2

gpw_wmbg

Level 1

5 points

Mar 4, 2012 6:04 AM in response to Paul Verity

I have the exact same issue happening.

Reply

Answer 3

Mar 5, 2012 8:57 AM in response to gpw_wmbg

This may be a service ACL issue - See my ticket which was just resolved by AppleCare.

https://discussions.apple.com/thread/3724103?answerId=17763467022#17763467022

It turns out one of the latest Apple updates turned on Service ACL's which caused AFP connections to be blocked. Once I fixed the Service ACL in Server Admin... all connections and Single Sign On worked.

Reply

Answer 4

Paul Verity Author

Level 1

16 points

Mar 6, 2012 1:51 PM in response to RayfromMD

Thanks RayfromMD,

I took a look at the ACL's in Server Admin and AFP has the expected users listed.

Back to the drawing board for me 😟

Thanks for the pointer though...

Reply

Answer 5

Paul Verity Author

Level 1

16 points

Mar 10, 2012 4:47 PM in response to Paul Verity

This just gets worse! I tried binding the server with the directory hosted on the server to see if that would make any difference, and now when I open WGM and try to make changes by authenticating with the diradmin account I get the error:

The login information is not valid for this server.

"The server failed to accept the login information you provided. Check the Name and Password and try to log in again or contact your network administrator."

I know the diradmin password is correct as I've used it plenty of times!

How do I fix this one?!

Reply

Answer 6

Mar 12, 2012 7:53 AM in response to RayfromMD

Please give more specific information as to how you recitfied the ACL service. I just don't see where I have any options to adjust this in Server admin. Thank you.

Reply

Answer 7

Mar 13, 2012 4:27 AM in response to Paul Verity

Is this a new setup or has it worked before. It looks to me like the kerberos realm is a bit messed up. There was a command tht could be run to re-kerberise an Open Directory. I will see if I can recall what it was.

Reply

Answer 8

Mar 13, 2012 4:34 AM in response to Newbie-2-macs

You could try the information in this article. Note: This is for 10.5. I am assuming that the commands still work the same in Lion Server. If this is a production server do so at you rown risk.

http://blog.infusiontechsolutions.com/105-leopard-how-to-manually-kerberize-serv ices/

Reply

Answer 9

Paul Verity Author

Level 1

16 points

Mar 17, 2012 2:17 PM in response to cherybeth

Hi cherybeth,

In Server Admin (10.7.3), click on the server name in the left hand pane that lists the available servers, then click the "Access" icon at the top of the right hand pane. From that you can assign access rights to certain services.

Paul

Reply

Answer 10

Paul Verity Author

Level 1

16 points

Mar 17, 2012 2:32 PM in response to Newbie-2-macs

Hi Newbie,

Many thanks for the info. This is a new setup. Admittedy I have had nothing but pain in getting Lion Server running. It has so far taken 4 fresh re-installs to get the services running that I wanted. I have had services fail one by one a number of times - leading me to start afresh each time rather than poke about under the covers. However, I got enough of what I wanted working, and decided to quit while I was ahead. Unfortunately, services have started to fail again and I don't want to do a fresh install again at this late stage.

All I have working at the moment is Mail, Calendar and Contacts (Web server and Profile Manager no longer work). I'm not sure if Kerberos ever worked, but when I tried to create shared folders for a user to mount at login, it didn't work - which has led me down this path. I don't want to re-install again if I can avoid it, so I'd like to understand the root of my problems and try to fix them.

I'll check out the article and let you know how it goes!

Paul

Reply

Answer 11

Paul Verity Author

Level 1

16 points

Mar 17, 2012 5:07 PM in response to Paul Verity

Right, I seem to be making some progress - I can now log in to WGM (Work Group Manager) again.

It seemed my keytab file was not quite in sync with the KDC database. The KVNO's were higher when viewed in kadmin than those in the keytab. I tried running ktutil purge to update it, it returned very quickly with very little feedback so I assumed nothing significant happened. So I tried ktutil change. It ran through the keytab file updating it with some feedback noting some problems with some realms. On running ktutil list, I noticed a number of the principals had their KVNO's updated. I was then able to log in to WGM using the diradmin account again!

The errors highlighted that my server's hostname does not have an entry in this file, nor do the usernames of those that can't authenticate with the AFP service. I do however seem to have a number of entries like this:

1 aes256-cts-hmac-sha1-96 host/LKDC:SHA1.<long_hash_key>@LKDC:SHA1.<long_hash_key>

1 aes128-cts-hmac-sha1-96 host/LKDC:SHA1.<long_hash_key>@LKDC:SHA1.<long_hash_key>

1 des3-cbc-sha1 host/LKDC:SHA1.<long_hash_key>@LKDC:SHA1.<long_hash_key>

Is this expected? Or is this corrupted?

I'm noticing that the ticket the user gets (verified by running klist -v) after using kinit, still has a lower KVNO than the one shown in running kadmin get <principal_name>.

I tried adding a user princial using:

ktutil get -p <username> <username>

It prompts me to enter the password:

<username>@SERVER.EXAMPLE.CO.UK's Password:

But after doing so I get the error:

ktutil: kadm5_create_principal(<username>): Operation requires `add' privilege

So if the user is not in the keytab, could this be why the user doesn't get a ticket when logging in? And where is it getting the KVNO from when running kinit?

Paul

Reply

Answer 12

Mar 18, 2012 2:27 AM in response to Paul Verity

In 10.5 apple introduced local KDC for each individual machine. Each LKDC is unique for every client on a network. When clients are imaged the LKDC should have a new hash key generated using a command that I forget a t the moment. But these are what you are seeing. Server 10.6 had LKDC entries for AFP and for some other services when the Klist -kit command was run.

If possible you may wish to re-build the OD but having played with lion server for a while it doesn't look like you can demote the server to a stand alone server using the server.app. You may be able to use server admin to do this. However hill lose all stored Kerberos information password database and ldap information as well as any users created and prefereences managed with WGM.

If the process is the same as 10.6 you should then be able to remove the krb file for the domain you had set up. When the server get promoted back to OD master the server should use a default file and re-create the krb file again.

You may want to check this info though as I am just going through what I would do on an 10.6 server, and I havent done this in a long time.

Reply

Answer 13

Paul Verity Author

Level 1

16 points

May 28, 2012 4:57 AM in response to Newbie-2-macs

Well I gave up in the end, I ended up re-installing 10.7.4. I'll come back to this another day...

Reply

Answer 14

tcpudp

Level 1

20 points

Jul 15, 2012 2:08 PM in response to Paul Verity

I'm having exactly the same issue...please let me know if you've made any progress...

Reply

Answer 15

radman89

Level 1

0 points

May 3, 2013 6:59 PM in response to Paul Verity

Add default_principal at the end of the pam_krb5.so line in /etc/pam.d/{authorization,screensaver} so the line looks like:

auth  optional  pam_krb5.so use_first_pass use_kcminit default_principal

Then when you authenticate at the login window or screensaver you will get a ticket.

Reply