Ah, I see, the kdc.log is on the OD server, not on
the file server where I was looking for it.
OK, in the kdc logfile I have a lot of entries like
these ones:
Kerberos is an auth system where the user authenticates to the kdc and is issued a TGT (Ticket Granting Ticket). The user then presents their TGT and a service principal (Kerberos name of a server) to the kdc to get a service ticket. The user then sends the service ticket to the server who lets the user in.
Some interpretation:
Mar 22 09:18:35 zool09.abc.xy krb5kdc[218](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.23:
UNKNOWN_SERVER: authtime 1143003387,
zds02@ZOOL09.ABC.XY
for
krbtgt/ABC.XY@ZOOL09.ABC.XY
,
Server not found in Kerberos database
This (TGS_REQ) is request for a service ticket from 130.60.23.23 using the
TGT owned by zds02@ZOOL09.ABC.XY, to get a service ticket for
krbtgt/ABC.XY@ZOOL09.ABC.XY. It looks like krbtgt/ABC.XY@ZOOL09.ABC.XY is not in your kdc's database. This looks like a cross realm request.
If you are also connected to an active directory system you might see something like this.
Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
NEEDED_PREAUTH:
zds01@ZOOL09.ABC.XY
for
krbtgt/ZOOL09.ABC.XY@ZOOL09.ABC.XY
, Additional
pre-authentication required
Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
AS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
ISSUE: authtime 1143015560, etypes {rep=16 tkt=16
ses=16},
zds01@ZOOL09.ABC.XY
for
krbtgt/ZOOL09.ABC.XY@ZOOL09.ABC.XY
The AS_REQ's above are the two step authentication process for user zds01@ZOOL09.ABC.XY from 130.60.23.11.
Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
UNKNOWN_SERVER: authtime 1143001370,
zds01@ZOOL09.ABC.XY
for
krbtgt/ZOOL09.ABC.XYusers@ZOOL09.ABC.XY
, Server not
found in Kerberos database
This is another service ticket request. Though the requested service principal looks malformed, I would look for something misconfigured on 130.60.23.11.
Possibly watch what user zds01 is doing during login to get some idea of what's going on.
Mar 22 09:19:20 zool09.abc.xy krb5kdc[218](info):
TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 130.60.23.11:
UNKNOWN_SERVER: authtime 1143001370,
zds01@ZOOL09.ABC.XY
for
krbtgt/ABC.XYusers@ZOOL09.ABC.XY
, Server not found
in Kerberos database
Same as above.
What do they mean? I didn't set up Kerberos
authentication, I think I don't need it, is there any
way to disable it? Or am I using it without knowing
it??
When you set up the OD Master, a kdc & the needed files were set up to allow single sign on to all the kerberized services in the system.
- see if you have an
/Library/Preferences/edu.mit.Kerberos file
- Also look for an /etc/krb5.keytab file
Yes, I have both of them.
kadmin.local -q listprincs on the OD server gives me
a long list of computers, users and services like
this:
I don't know what these all mean... could you give me
a brief explanation?
computer_name@ZOOL09.ABC.XY
When you create a computer record in Workgroup Manager a generic principal name is added to the kdc for that computer. It is related to the host/computer_name@REALM service principal for servers.
user_name@ZOOL09.ABC.XY
This is a user principal (this is the account name for the user in the Kerberos system) Sometimes you will see user/admin@REALM.
afpserver/zool09.abc.xy@ZOOL09.ABC.XY
This is a service principal. They usually are in the form service
type/server_dnsname@REALM
One of the things that Kerberos is very sensitive to is correct DNS configuration. You need to have both forward (name -> IP) and reverse (IP -> name) DNS set up for all the servers in your realm.
Hope this helps
- Leland
DP G4 Mac OS X (10.4.5)