Adding Kerberos Service Principals in OSX Server for 10.10?
Does anybody know how to add a service principal to Kerberos on Server for OSX 10.10 and have it work? We're trying to use Kerberos to authenticate users of our service where the user accounts are stored in OD on Server for OSX 10.10.
On the OD server machine we create the service principal using the usual Kerberos commands we seem to be able to create the principal. However, when an authenticated user requests a ticket for the service, it is reported as "expired". My guess is that there is some additional step that is required to "bless" a service ticket in an OD KDC. Or not.
In full disclosure and to explain the examples, we're trying to use Kerberos authentication as a means of integrating a Samba-based CIFS bridge with OD. Our product, MediaGrid, is a scalable shared storage system which includes an OSX (and Windows & Linux) network filesystem driver and which has supported OD, AD, and OpenLdap. However we've removed Samba and Linux from the picture completely and are so far unable to get OSX 10.10 Server to give out a valid service ticket to a second OSX 10.10 Mac.
We are able to add a service principal using kadmin (we've also tried with expiration times in 2016):
- bash-3.2# kadmin -l
- kadmin> add --random-key
- kadmin>cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL
- Max ticket life [unlimited]:
- Max renewable life [unlimited]:
- Principal expiration time [never]:
- Password expiration time [never]:
- Attributes []:
- Policy [default]:
After authenticating ourself on another OSX system we attempt to get a ticket for this service:
- sh-3.2# kgetcred cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL
- kgetcred: krb5_get_creds: Server (cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL) expired
The ticket is expired and unusable.Looking at the OS X Server 10.10.1 Server logs, we see:
Sep 814:43:33 apples-Mac-mini.local kdc[68]: Server expired at 2015-09-08T14:42:33 – cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL
This is reproducible. It gives expiration time of one minute before current time of request for ticket. Each time we do this the expired time will change to a minute prior. It looks like we need some additional setup.
Anybody know how to do this?
Mac mini, OS X Yosemite (10.10)