Failed building TGS-REP in system log. Normal?

Question

BJH75 Author

Level 1

7 points

Failed building TGS-REP in system log. Normal?

This is dealing with Server 3.1.2 on 10.9.4 and 10.9 clients connecting.

This is pretty much direct out of the box install of both the server and client.

I'm doing a standard (non-authenticated) bind to OD and am able to login with my newly created OD user no problem.

So, basically...it works.

Details:

OD Server: osx-server01.spptech.om

OD Client: osx-mac01.spptech.com

OD User: benmac

A klist upon login shows the following:

OSX-MAV01:~ benmac$ klist

Credentials cache: API:7AE8722E-76F2-4DB2-8CD1-E07631D8C1A1

Principal: benmac@OSX-SERVER01.SPPTECH.COM

Issued Expires Principal

Jul 12 08:26:22 2014 Jul 12 18:26:22 2014 krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM

I'm pretty sure the above is correct, although I don't have a lot of experience to know what a "proper" kerberos configuration in OD should look like.

What I'm concerned about are the errors in my System log relating to Kerberos. Below is what a login produces. I've highlighted in bold what troubles me:

>>>LOG BEGIN

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:54482 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM

Jul 12 08:18:03 --- last message repeated 1 time ---

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:52872 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM

Jul 12 08:18:03 --- last message repeated 1 time ---

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Client sent patypes: ENC-TS

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: ENC-TS pre-authentication succeeded -- benmac@OSX-SERVER01.SPPTECH.COM

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Requested flags: forwardable

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:56642 for host/osx-mav01.local@OSX-SERVER01.SPPTECH.COM [canonicalize, forwardable]

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Searching referral for osx-mav01.local

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Server not found in database: krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM: no such entry found in hdb

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Failed building TGS-REP to 172.23.10.204:56642

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:62796 for krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM [forwardable]

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Server not found in database: krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM: no such entry found in hdb

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Failed building TGS-REP to 172.23.10.204:62796

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:54576 for ldap/osx-server01.spptech.com@OSX-SERVER01.SPPTECH.COM [canonicalize, forwardable]

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:52707 for ldap/osx-server01.spptech.com@OSX-SERVER01.SPPTECH.COM [forwardable]

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:54084 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM

Jul 12 08:18:03 --- last message repeated 1 time ---

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:51333 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM

Jul 12 08:18:03 --- last message repeated 1 time ---

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Client sent patypes: ENC-TS

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: ENC-TS pre-authentication succeeded -- benmac@OSX-SERVER01.SPPTECH.COM

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96

Jul 12 08:18:03 osx-server01.spptech.com kdc[2419]: Requested flags: renewable, forwardable

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:57023 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM

Jul 12 08:18:05 --- last message repeated 1 time ---

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: AS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:54221 for krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM

Jul 12 08:18:05 --- last message repeated 1 time ---

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Client sent patypes: ENC-TS

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: ENC-TS pre-authentication succeeded -- benmac@OSX-SERVER01.SPPTECH.COM

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Requested flags: forwardable

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:53429 for host/osx-mav01.local@OSX-SERVER01.SPPTECH.COM [canonicalize, forwardable]

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Searching referral for osx-mav01.local

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Server not found in database: krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM: no such entry found in hdb

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Failed building TGS-REP to 172.23.10.204:53429

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:49612 for krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM [forwardable]

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Server not found in database: krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM: no such entry found in hdb

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: Failed building TGS-REP to 172.23.10.204:49612

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:49282 for ldap/osx-server01.spptech.com@OSX-SERVER01.SPPTECH.COM [canonicalize, forwardable]

Jul 12 08:18:05 osx-server01.spptech.com kdc[2419]: TGS-REQ benmac@OSX-SERVER01.SPPTECH.COM from 172.23.10.204:53053 for ldap/osx-server01.spptech.com@OSX-SERVER01.SPPTECH.COM [forwardable]

>>>LOG END

So we see above there are 4 TGS-REQ sent from the client that fail to generate any TGS-REP. This is not necessarily a problem in itself, and this would seem to indicate a client problem (since it is the client making the requests). But I want to confirm if it is a client issue, or if something is misconfigured on my server.

Two of the errors seems to indicate that the client is requesting a ticket (TGS) for host/osx-mav01.local@OSX-SERVER01.SPPTECH.COM. I'm not sure if this SPN is supposed to exist, especially because I am doing an non-authenticated bind to OD and therefore there should be no SPN for my client system is the kerberos database.

The remaining 2 errors seem to indicate requests for krbtgt/LOCAL@OSX-SERVER01.SPPTECH.COM. Again, I'm not sure if this SPN is meant to exist. My gut tells me no because as my klist shows the proper SPN for the krbtgt is krbtgt/OSX-SERVER01.SPPTECH.COM@OSX-SERVER01.SPPTECH.COM. I know there is a long history of the special meaning of "local" in OSX networking which I am not intimately familiar with, but I'm unsure why it is searching for this.

I'm hoping that someone with a good understanding of Kerberos on OSX clients can chime in and elaborate on why this is happending.

At the very least, I'm hoping someone else with a 10.9/3.1.1+ (same thing happened on 3.1.1 and 3.1.2) configuration can at least confirm you see these same errors in your seemingly successful logins as well.

Thanks!

Posted on Jul 12, 2014 6:49 AM

Reply

Answer 1

Jul 14, 2014 10:08 AM in response to BJH75

I am in a similar situation with a similar setup, and saw the same message.

Unencumbered by any actual deep knowledge on the subject, I did a search for TGS-REP and came up with an old article. Based only on that article, I think it is telling you that:

"I'm doing a standard (non-authenticated) bind to OD"

and therefore it cannot build an encrypted Ticket-Granting-System Repository for some tickets.

See if you can make it any farther than that by looking over the article:

http://msdn.microsoft.com/en-us/library/cc233962.aspx

I would love to hear any deeper knowledge, conclusions, or rampant speculation Readers might come up with.

Reply

Answer 2

Jul 14, 2014 10:02 AM in response to Grant Bennet-Alder

.

Reply

Answer 3

basilmir

Level 1

80 points

Apr 4, 2015 4:49 PM in response to BJH75

I had the exact same issue with Failed building TGS-REP to ip.ip.ip.ip:port.

Managed to fix it by Archiving, Recreating a new Open Directory server and restoring the old one over the newer.

Well, I found a nice method posted here https://support.apple.com/kb/PH15633:

1. First archive (backup) your current OD on the server.

Using the Server app interface backup your current OD, clicking on the sprocket and choosing Archive.

2. Destroy the current OD. (*optional)

sudo slapconfig -destroyldapserver

3. Create a new one from scratch on the new server.

Using the Server app interface. Go to Open Directory on the left side and click the On button in the top right.

4. Restore the old one over the new one.

sudo slapconfig -restoredb /full/path/to/archive.sparseimage

Reply