Kerberos Version 5 error

Same issue here; have you made any progress?

Fred,

I'm interested in what you heard from the Apple folks. I'm experimenting with this as well and seeing the same behavior you described.

Thanks.

Tim

http://support.apple.com/kb/HT4778

This helped me fix it on my server (the lines were not filled in at all by server.app)

Justin,

Thanks for the post. The auth_gssapi_hostname line was also not filled in for me. I tried the change but but no luck. Today my mail server is on a second MacMini. Both servers are running Mavericks. Server1 hosts my OD, Server2 hosts mail. When I try to use Kerberos, I get in the logs on Server1:

Searching referral for server2.mydomain.com
Server not found in database: krbtgt/MYDOMAIN.COM@SERVER1.MYDOMAIN.COM: no such entry found in hdb.
Failed building TGS-REP to ipaddress:port
TGS-REP user@SERVER1.MYDOMAIN.COM from ipaddress:port for imap/server2.mydomain.com@SERVER1.MYDOMAIN.COM [forwardable]
Server not found in database: imap/server2.mydomain.com@SERVER1.MYDOMAIN.COM: no such entry found in hdb

Failed building TGS-REP to ipaddress:port

I'm not sure if the OP got this fixed. I don't know what errors I had back in October, but my config is a little different today. Since this seems to cross versions and configs, I suspect it is a configuration problem stemming from a lack of proper certs or documentation from Apple.

Tim

Is your second server bound to your first one in the Accounts panel of System Preferences?

Do you have a username server2 in your accounts panel?

Here is what I would honestly suggest - turn on OD on Server2 and set it up as a replica server of Server1 and then change your dovecot .conf file to point to server2 and restart all the services and try again.

Hello Justin,

Yes, it is. And I have also enrolled it with Profile Manager. I do not have a username server2 in my accounts panel. I have never heard or read anywhere to do that; is that something you explicitly configure? I'd be happy to find that all my problems are coming from a lack of understanding regarding how I am supposed to be configuring the server for client binding.

A little more history of my situation. For a bit I had the mail server in a virtual machine running off of server2. As part of testing to solve this and other issues which I believe(d) are stemming from certs, kerberos and Profile Manager, I moved the mail server to server2. Before that, I had server2 configured as an ODR but it was clearly not staying in sync with the ODM, and when I started the mail server on server2, it immediately became an apparent issue.

I've never successfully preflighted the ODR. I always get the rootDSE not found and Unable to determin the master's software version errors.

I have another thread started asking for help with what I think are related issues. Perhaps you have some thoughts and experiences that may help.

Thanks.

Tim

Edit: After writing this, I decided to bring up Workgroup Manager and see what is listed for computers (I hadn't done that it awhile). The older mail$ is listed but server2 is not. I'll go through and check all the bindings again but in the past I have not found any obvious issues.

I cannot pretend to be an OD master or even an Apple Server expert but I just thought looking at this line:

imap/server2.mydomain.com@SERVER1.MYDOMAIN.COM

That probably you will need to have a replica OD server on your second mini or else do a lot of complicated re-configuration somewhere. Just to a test i did just setup a VM on my iMac as a replica of the OD on my mini and there were no errors doing so. If you haven't tried in a while I'd give it a shot again. It was a clean VM so I hadn't touched any other settings elsewhere.

I did try the preflight again a few mins ago and it failed. I have not tried to test from a VM which is a good idea. One reason I've shied away from VMs is that I could not get them to enroll with Profile Manager. Are you? What are you using for virtualization?

Tim

I actually haven't tried to enroll with profile manager to be honest. I am using Parallels Desktop 9 and I know that it lets me enroll the Cachine Service with Apple which I understand used to fail in the past due to problems with the serial number it would provide to the Apple servers, I guess that issue is now fixed.

Justin, thank you! Your comments got me thinking about authenticated binding. My server had it on as optional and so, to keep things simple, I have been binding anonymously.

So, I removed server2 from profile manager, unbound it, then re-enrolled and bound it with authentication. It showed up in Workgroup Manager for the first time and the hardware UUID was filled in. I did the same thing with my primary Mavericks client (which was already showing up in Workgroup Manager but without hardware UUID). Now that both machines are bound using authentication and the hardware UUID field is filled int, kerberos authentication works! And, Notes appears to be working but I want to test it more.

An ODR preflight from server2 still fails, but I can go back and check some of the other issues that could cause that now.

My Mavericks client is again reindexing with Spotlight and so I'm going to let that run. My initial test of the issue I described in the other thread (i.e., logging back in after using the client with another username wipes the passwords) failed so I'm hoping the reindexing solves that. I know that now when I use klist on the client, one of the tickets that shows up now is for afpserver, so that is progress and I'm hopeful.

Other thoughs are welcome.

Thank you again!

Tim

Looking for a solution to this problem as well. I only have a single server, so its not that. Everything authenticates fine on MD5, just not on Kerberos. SMTP seems to work fine on Kerberos, just IMAP not.

Follow the instructions on this link: https://discussions.apple.com/thread/5096772?answerId=24973847022#24973847022&ac_cid=tw123456#24973847

That was the exact problem I was having and is something that Apple needs to fix in their server configuration.

Truly what Apple should do is just have an "advanced" section for each server that lets you direclty edit the .plist and .conf files for everything directly and then REMEMBER your edits. They should ALSO add a "reset" to default for each server function that returns just that one function to its clean state status in case of a serious bug.

Thanks Justin,

Your link it pointing this this same discussion, probably a typo .

I look forward to seeing what fixed it for you.

~Mike

http://support.apple.com/kb/HT4778

Sorry!