Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Kevin Neal
Kevin Neal Author
User level: Level 3
534 points

Kerberos Ticket expired on login

I have a fresh install of Lion that did have Kerberos functioning properly but I've noticed recently a lot of clients are regularly unable to connect to iChat when they log in, with an error message that says the server doesn't support Kerberos, while other clients connect to iChat with no problems


I have looked in Core Services > Ticket Viewer and can see that on the clients with the connection problem there is a ticket with the user name but the incorrect realm @WELLKNOWN:COM.APPLE.LKDC and it has expired in 1970!!


If I delete this ticket and add a new one the correct realm is shown and iChat connects properly, but on next log in the incorrect ticket will be back!

Posted on Aug 1, 2012 3:50 AM

Reply
16 replies
User profile for user: Rambling Man
Rambling Man
User level: Level 1
35 points

Aug 9, 2012 6:46 PM in response to tcpudp

I'm having the same problem but with afp and can now reliably repeat the creation of the 'wellknown' ticket.


On the client


1. Delete all identities in Ticket views

2. Go to finder and click on my server from a local folder - this will generate the '@WELLKNOWN:COM.APPLE.LKDC' ticket every time.

3. Finder hangs for a few moments and then shows the shared directories (I'm guessing not using kerberos)


I think the issue with afp is to do with using .local rather than the full qualified domain name that the other services are using and this might be a similar problem with iChat.


I was having problems with the mail server and clients authenticating to it but fixed that by clearing out the local KDC (LKDC) on the Client using


1. sudo rm -rf /var/db/krb5kdc

2. sudo rm -rf /etc/krb5.keytab

3. sudo rm -rf /Library/Preferences/edu.mit.Kerberos

4. Bind the Client to the Server again.


I have the server running Mail, Calendar and Contact, and watching the ticket viewer Contacts is very reliable at creating the correct tickets when I start it.


Have you tried setting the correct ticket as 'default' using the button in ticket viewer or deleting all the identities and adding the correct ticket directly in ticket viewer then making it default? This might help with the reset on re-login.


For reference both the client and server are running 10.8 and were upgraded from 10.7.4.


Hope this helps and if I find anything else useful out I'll post it

Reply
User profile for user: tcpudp
tcpudp
User level: Level 1
20 points

Aug 10, 2012 1:52 AM in response to Kevin Neal

should make no difference if you can make it to work manually under /Library/Preferences then using WGM to push it should do the same job. problem is we can't even get the manual thing to make a difference. this local KDC just keeps coming back whatever i tried.


i've tried to set the correct ticket as a default manually in the Ticket Viewer but didn't survive a logout.

Reply
User profile for user: Rambling Man
Rambling Man
User level: Level 1
35 points

Aug 14, 2012 12:28 PM in response to Rambling Man


Rambling Man wrote:


I was having problems with the mail server and clients authenticating to it but fixed that by clearing out the local KDC (LKDC) on the Client using


1. sudo rm -rf /var/db/krb5kdc

2. sudo rm -rf /etc/krb5.keytab

3. sudo rm -rf /Library/Preferences/edu.mit.Kerberos

4. Bind the Client to the Server again.



Just wanted to update the discussion on the LKDC element of my post.

I don't believe the LKDC is having any impact on the problem and have reset it by.


  1. Ensuring the existing LKDC data is removed
    1. Repeatsudo rm -rf /var/db/krb5kdc
    2. Repeat sudo rm -rf /etc/krb5.keytab
    3. Open Keychain Access and search for 'kdc' then deleting the 3 com.apple.kerberos.kdc items.
  2. Run the command to reinstall the LKDC sudo /usr/libexec/configureLocalKDC this is non-destructive so can be rerun without upsetting anything.
  3. Re Bind the client to the server.


This will reset the LKDC, I tested it by sharing the screen of my server and looked for the long LKDC ticket to appear in Ticket View which it did.

Reply
User profile for user: enthusuast
enthusuast
User level: Level 1
8 points

Sep 3, 2012 12:23 PM in response to Kevin Neal

here 10.7.4 upgraded to 10.8.1.


using mac mini server, dual ethernet, dual domain, portable homes.

users cant login. There is a window saying that due to an error unable to login.

'@WELLKNOWN:COM.APPLE.LKDC' ticket every time.

users that has been before 10.8 upgrade portable home user can login.

But when desktop opens, the cube transiotion throws u back to login screen. (endless loop, after password) The only way to get "logged" to a staying desktop, was to unbind and login.


i think the afp realm is pointing to the other domain, not sure ..

Reply
User profile for user: Matteo Ceruti
Matteo Ceruti
User level: Level 1
4 points

Sep 19, 2012 6:18 AM in response to Kevin Neal

Same thing here: The the default principal is not persistent.


What I'm doing as a workaround is the following: I wrote a script named "kswitch.command" that is supposed to be executed when the user log's in.


#!/bin/bash

# switch default principal.
# Providing the username seems to be sufficent and uses the "real" realm.
kswitch -p $(whoami)


I put it in the Network-Home-Share /Users/Shared/Scripts and configured it as Login-Item via WGM. There migth be a better solution, but at least it works for me.

Reply

Kerberos Ticket expired on login

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up