Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: EricHamilton
EricHamilton Author
User level: Level 1
0 points

Adding Kerberos Service Principals in OSX Server for 10.10?

Does anybody know how to add a service principal to Kerberos on Server for OSX 10.10 and have it work? We're trying to use Kerberos to authenticate users of our service where the user accounts are stored in OD on Server for OSX 10.10.


On the OD server machine we create the service principal using the usual Kerberos commands we seem to be able to create the principal. However, when an authenticated user requests a ticket for the service, it is reported as "expired". My guess is that there is some additional step that is required to "bless" a service ticket in an OD KDC. Or not.


In full disclosure and to explain the examples, we're trying to use Kerberos authentication as a means of integrating a Samba-based CIFS bridge with OD. Our product, MediaGrid, is a scalable shared storage system which includes an OSX (and Windows & Linux) network filesystem driver and which has supported OD, AD, and OpenLdap. However we've removed Samba and Linux from the picture completely and are so far unable to get OSX 10.10 Server to give out a valid service ticket to a second OSX 10.10 Mac.


We are able to add a service principal using kadmin (we've also tried with expiration times in 2016):



  1. bash-3.2# kadmin -l
  2. kadmin> add --random-key
  3. kadmin>cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL
  4. Max ticket life [unlimited]:
  5. Max renewable life [unlimited]:
  6. Principal expiration time [never]:
  7. Password expiration time [never]:
  8. Attributes []:
  9. Policy [default]:

After authenticating ourself on another OSX system we attempt to get a ticket for this service:



  1. sh-3.2# kgetcred cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL
  2. kgetcred: krb5_get_creds: Server (cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL) expired

The ticket is expired and unusable.Looking at the OS X Server 10.10.1 Server logs, we see:



Sep 814:43:33 apples-Mac-mini.local kdc[68]: Server expired at 2015-09-08T14:42:33 – cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL


This is reproducible. It gives expiration time of one minute before current time of request for ticket. Each time we do this the expired time will change to a minute prior. It looks like we need some additional setup.


Anybody know how to do this?

Mac mini, OS X Yosemite (10.10)

Posted on Sep 17, 2015 8:50 AM

Reply
6 replies
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,685 points

Sep 17, 2015 9:03 AM in response to EricHamilton

I cannot say for certain if it is the cause but your message shows you are using a domain of .local this domain is supposed to be reserved for Bonjour aka. multicast DNS. Often Active Directory users 'hijack' this domain.


You must use a different 'proper' domain to get Open Directory and hence Kerberos working properly. Even a fictitious domain like .private would be better than .local


I would also say that trying to merely change your domain in your existing Open Directory setup is unlikely to be reliable. You therefore should consider exporting all your users and setting it up from scratch.

Reply
User profile for user: flashman2
flashman2
User level: Level 1
0 points

Dec 2, 2015 11:01 AM in response to EricHamilton

There is something wrong with what using kadmin alone does when adding a principal that I have found gives rise to exactly this effect.


You can use dscl simply if you wish to add a computer (called myhost for the sake of argument, with a couple of attributes set also):


$ dscl -u diradminuser -P adminpasswd /LDAPv3/127.0.0.1 -create /Computers/myhost.domain \

ENetAddress FF:00:DE:23:71:A4 IPAddress 192.168.1.37


and you will then automatically get all the service principals automatically configured for you:


$ sudo ktutil list | grep myhost | grep aes256

1 aes256-cts-hmac-sha1-96 host/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 afpserver/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 cifs/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 vnc/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 ldap/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 afp/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 DNS/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 fcsvr/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 ftp/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 HTTP/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 http/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 imap/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 ipp/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 nfs/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 pop/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 smtp/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 ssh/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 smb/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 xmpp/myhost.domain@realm

1 aes256-cts-hmac-sha1-96 vpn/myhost.domain@realm



You can use krbservicesetup too. The man page is rather out of date as to the service types it supports (that is knows how to configure) - the full list can be obtained from:


$ sudo sso_util -?


It is also possible to add your own services - although they will not be automatically configured. For example, if you wish to create a service for Kerberos authenticated logins to an Oracle database, and for the sake of argument we shall call this service oracle:


$ sudo krbservicesetup -x -r realm oracle oracle/myhost.domain@realm


We can then set attributes for this service principal using kadmin (since krbservicesetup does not know how to configure it). For example:


$ sudo kadmin -l -p diradminuser -r realmmodify -a -disallow-svr oracle/myhost.domain@realm

Reply

Adding Kerberos Service Principals in OSX Server for 10.10?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up