Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Can't authenticate against LDAP

We currently have an OpenLDAP server setup which includes the Apple schema. This database uses MIT Kerberos for passwords and has worked for authentication purposes very well through OSX 10.4, 10.5, and 10.6. However, once I upgraded one of our 10.6 machines to 10.7 I can no longer authenticate. I can still browse our LDAP server through DSCL on the client. I can view our LDAP server through the "Directory Editor" tab in Directory Utility. My LDAP users are also available as contacts... Just can't authenticate with this information. From the Terminal I can also use KINIT to receive a kerberos ticket in my name without any problems.


Initially in /var/log/secure.log I would see this message:

Mar 22 14:05:41 sysops-imac-2 SecurityAgent[1364]: User info context values set for jsmillie

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Got user: jsmillie

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Got ruser: (null)

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Got service: authorization

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in od_principal_for_user(): no authauth availale for user.

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in od_principal_for_user(): failed: 7

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Done cleanup3

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): Kerberos 5 refuses you

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: in pam_sm_authenticate(): OpenDirectory - The authtok is incorrect.

Mar 22 14:05:41 sysops-imac-2 authorizationhost[1385]: Failed to authenticate user <jsmillie> (error: 9).


Did some web research and found some info about possible changes needed to /Library/Preferences/edu.mit.kerberos as well as /etc/pam.d/authorization. Best info I think I could find was here:

http://linsec.ca/Using_Kerberos_5_for_Single_Sign-On_Authentication#Setting_up_a _Mac_OS_X_Client_.2810.7.29


With these changes in place I no longer receive the "Failed to determin Kerberos Principal name" message, but I still can't login. Per the log:

Mar 26 15:43:34 Sysops-iMac-2 SecurityAgent[933]: User info context values set for jsmillie

Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Got user: jsmillie

Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Got ruser: (null)

Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Got service: authorization

Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Context initialised

Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): Stashing kcm credentials in enviroment for kcminit: jsmillie

Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): pam_sm_authenticate: ntlm

Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: in pam_sm_authenticate(): OpenDirectory - The authtok is incorrect.

Mar 26 15:43:34 Sysops-iMac-2 authorizationhost[967]: Failed to authenticate user <jsmillie> (error: 9).


Login fails.


Last time I attended an Apple event I brought this issue up with the field service tech associated with our account. He said to change our LDAP mappings on the client to RFC2307 and try again. That 10.7 should authenticate against anything using those mappings. Sadly it doesn't work. Same result. I have also tried to install OSX 10.7 fresh on a machine and reconfigure everything by hand. Same results in the end. For what its worth we also have an Open Directory server (OSX Server 10.6.8) which I can authenticate users against without any problems.


Any ideas or suggestions would be greatly appriciated. We've been working on this issue off and on since we receive our 10.7 licenses without any real sense of urgency, but with new Macs now only coming with 10.7 installed we getting closer to the wall. Thanks for reading.

Lots of PPC and Intel Macs...., Mac OS X (10.6.6)

Posted on Mar 26, 2012 12:52 PM

Reply
4 replies

Aug 6, 2012 8:10 AM in response to denmoff

Sort of. After this post I was given a complimentary support case with Apple.. That hasn't gone anywhere to date. I gathered lots of logs and what not, but nothing ever happened.


I went to the PSU Mac Admins Conference in May and saw a really great presentation on how they deal with LDAP and Mac logins in 10.7. Long story short in their case and in my case the whole login issue is in /etc/pam.d/authorization and /etc/pam.d/screensaver. These are the steps I toke to allow 10.7 clients to authenticate against our already working OpenLDAP database of users which users MIT Kerberos for passwords. You will need to change things for your environment of course.


1.) Create /Library/Preferences/edu.mit.Kerberos. Fill with this data:

#NOMODIFY


[domain_realm]

.gatewayk12.org = GATEWAYK12.ORG

gatewayk12.org = GATEWAYK12.ORG


[libdefaults]

default_realm = GATEWAYK12.ORG

noaddresses = TRUE

forwardable = true

proxiable = true

renew_lifetime = 1209600

allow_weak_crypto = yes


[realms]


GATEWAYK12.ORG = {

kdc = kerberos-1.gatewayk12.org.:88

kdc = kerberos-2.gatewayk12.org.:88

kdc = kerberos-3.gatewayk12.org.:88

default_domain = gatewayk12.org

}


[v4 realms]

GATEWAYK12.ORG = {

kdc = kerberos-1.gatewayk12.org.

kdc = kerberos-2.gatewayk12.org.

kdc = kerberos-3.gatewayk12.org.

default_domain = gatewayk12.org

string_to_key_type = mit_string_to_key

}


[v4 domain_realm]

.gatewayk12.org = GATEWAYK12.ORG

gatewayk12.org = GATEWAYK12.ORG




2.) Edit /etc/pam.d/authorization. Should look as so:

auth sufficient pam_krb5.so use_first_pass default_principal

auth optional pam_ntlm.so use_first_pass

auth required pam_opendirectory.so use_first_pass

account required pam_opendirectory.so


**NOTE-> pam.krb5.so becomes "sufficient", we add "default_principal", and remove "use_kcmint" and "null_ok"**


3.) Edit /etc/pam.d/screensaver. Should look as so:

auth sufficient pam_krb5.so use_first_pass default_principal

auth required pam_opendirectory.so use_first_pass

account required pam_opendirectory.so

account sufficient pam_self.so

account required pam_group.so no_warn group=admin,wheel fail_safe

account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe


**NOTE-> pam.krb5.so becomes "sufficient", we add "default_principal", and remove "use_kcmint" and "null_ok"**


4.) Add our OpenLDAP server to Network Account Server setup. Make sure SSL is on. Use "from Server."

5.) Reboot


Your 10.7 client should now be able to login to the machine. I have not tested this with 10.8 yet, but hope to before the week is out. Good luck!

Aug 6, 2012 9:10 AM in response to Jesse Smillie

Just upgraded my 10.7 test client to 10.8. At first it didn't work. Updating to Mountain Lion writes over pretty much everything in /etc/pam.d. Edited /etc/pam.d/authorization and /etc/pam.d/screensaver again as noted above, still didn't work. Removed "default_principal" directive from both config files. Successful login. Need to test more, but its promising.

Can't authenticate against LDAP

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.