Failed building TGS-REP in system log. Normal?
This is dealing with Server 3.1.2 on 10.9.4 and 10.9 clients connecting.
This is pretty much direct out of the box install of both the server and client.
I'm doing a standard (non-authenticated) bind to OD and am able to login with my newly created OD user no problem.
So, basically...it works.
Details:
OD Server: osx-server01.spptech.om
OD Client: osx-mac01.spptech.com
OD User: benmac
A klist upon login shows the following:
OSX-MAV01:~ benmac$ klist
Credentials cache: API:7AE8722E-76F2-4DB2-8CD1-E07631D8C1A1
Principal: benmac@OSX-SERVER01.SPPTECH.COM
Issued Expires Principal
Jul 12 08:26:22 2014 Jul 12 18:26:22 2014 krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM
I'm pretty sure the above is correct, although I don't have a lot of experience to know what a "proper" kerberos configuration in OD should look like.
What I'm concerned about are the errors in my System log relating to Kerberos. Below is what a login produces. I've highlighted in bold what troubles me:
>>>LOG BEGIN
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:54482 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM
Jul 12 08:18:03 --- last message repeated 1 time ---
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:52872 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM
Jul 12 08:18:03 --- last message repeated 1 time ---
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Client sent patypes: ENC-TS
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: ENC-TS pre-authentication succeeded -- benmac@OSX-SERVER01.SPPTECH.COM
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Requested flags: forwardable
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:56642 for host/osx-mav01.local@OSX-SERVER01.SPPTECH.COM [canonicalize, forwardable]
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Searching referral for osx-mav01.local
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Server not found in database: krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM: no such entry found in hdb
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Failed building TGS-REP to 172.23.10.204:56642
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:62796 for krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM [forwardable]
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Server not found in database: krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM: no such entry found in hdb
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Failed building TGS-REP to 172.23.10.204:62796
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:54576 for ldap/osx-server01.spptech.com@OSX-SERVER01.SPPTECH.COM [canonicalize, forwardable]
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:52707 for ldap/osx-server01.spptech.com@OSX-SERVER01.SPPTECH.COM [forwardable]
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:54084 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM
Jul 12 08:18:03 --- last message repeated 1 time ---
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:51333 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM
Jul 12 08:18:03 --- last message repeated 1 time ---
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Client sent patypes: ENC-TS
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: ENC-TS pre-authentication succeeded -- benmac@OSX-SERVER01.SPPTECH.COM
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Requested flags: renewable, forwardable
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:57023 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM
Jul 12 08:18:05 --- last message repeated 1 time ---
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:54221 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM
Jul 12 08:18:05 --- last message repeated 1 time ---
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Client sent patypes: ENC-TS
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: ENC-TS pre-authentication succeeded -- benmac@OSX-SERVER01.SPPTECH.COM
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Requested flags: forwardable
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:53429 for host/osx-mav01.local@OSX-SERVER01.SPPTECH.COM [canonicalize, forwardable]
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Searching referral for osx-mav01.local
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Server not found in database: krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM: no such entry found in hdb
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Failed building TGS-REP to 172.23.10.204:53429
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:49612 for krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM [forwardable]
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Server not found in database: krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM: no such entry found in hdb
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Failed building TGS-REP to 172.23.10.204:49612
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:49282 for ldap/osx-server01.spptech.com@OSX-SERVER01.SPPTECH.COM [canonicalize, forwardable]
Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:53053 for ldap/osx-server01.spptech.com@OSX-SERVER01.SPPTECH.COM [forwardable]
>>>LOG END
So we see above there are 4 TGS-REQ sent from the client that fail to generate any TGS-REP. This is not necessarily a problem in itself, and this would seem to indicate a client problem (since it is the client making the requests). But I want to confirm if it is a client issue, or if something is misconfigured on my server.
Two of the errors seems to indicate that the client is requesting a ticket (TGS) for host/osx-mav01.local@OSX-SERVER01.SPPTECH.COM. I'm not sure if this SPN is supposed to exist, especially because I am doing an non-authenticated bind to OD and therefore there should be no SPN for my client system is the kerberos database.
The remaining 2 errors seem to indicate requests for krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM. Again, I'm not sure if this SPN is meant to exist. My gut tells me no because as my klist shows the proper SPN for the krbtgt is krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM. I know there is a long history of the special meaning of "local" in OSX networking which I am not intimately familiar with, but I'm unsure why it is searching for this.
I'm hoping that someone with a good understanding of Kerberos on OSX clients can chime in and elaborate on why this is happending.
At the very least, I'm hoping someone else with a 10.9/3.1.1+ (same thing happened on 3.1.1 and 3.1.2) configuration can at least confirm you see these same errors in your seemingly successful logins as well.
Thanks!