Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Paul Munro
Paul Munro Author
User level: Level 2
220 points

Kerberos Ticket Renewal Problems

We have been working with an integrated OS X Server and AD network for a little while now with no difficulties. This past week things are changing (for the worse). For some strange reason, the XServe will not renew its own Kerberos ticket without my making it get a new one using the little application found in System > Core Services. What this means is that every 10 hours the XServe loses its ticket and users are stopped accessing resources on our RAID server.

Can anyone shed any light as to why OS X Server has suddenly thought- "hey, I think I will mess up Paul's week by not automatically renewing my kerberos ticket..."? All advice greatfully received.

Paul

MBP 2.16GHz Mac OS X (10.4.9)

iMac G5, Mac OS X (10.4.3)

Posted on May 22, 2007 6:13 AM

Reply
6 replies
User profile for user: Paul Munro
Paul Munro Author
User level: Level 2
220 points

May 25, 2007 1:10 AM in response to Dave Walcott

Hi.

Thanks for the reply people.

The output of my KLIST was:

"Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: administrator@domain

Valid Starting Expires Service Principal
05/25/07 05:19:36 05/25/07 15:19:36 krbtgt/KINGSWOOD.SCH.UK@domain
renew until 05/31/07 09:14:26

klist: No Kerberos 4 tickets in credentials cache"

The ticket has been renewing itself for the past two days- weird! But I am thinking that there is indeed a time skew error when renewing, because the clients had to have their time refined before they could log in yesterday morning. I will be waiting for network use to drop today and then will make sure that the time is synced across the domain properly.

If I extend the kerberos ticket time on the 2003 Server, how will this affect other services that rely on this?

Thanks again!

Paul


iMac G5 Mac OS X (10.4.9)
Reply
User profile for user: Dave Walcott
Dave Walcott
User level: Level 3
765 points

May 25, 2007 7:42 AM in response to Paul Munro

Paul: I don't think you need to extend the time - as Antonio mentioned, the defualt ticket time is 10 hours, so my guess is that when the 10 hours is up, the OS X server tries to get a new ticket, but the clocks are out of sync by more than 5 minutes, and thus it fails.

Next time the ticket renewal breaks, run the klist command, and check the exaclt time of both system clocks, and let us know what you find. It's important to do this while the OS X server is unable to renew it's ticket.

MacBook Pro Mac OS X (10.4.8)
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,278 points

May 25, 2007 8:21 AM in response to Paul Munro

Hi Paul

Dave makes a good point and its worth trying. Correct me if I am wrong Paul, the AD Server uses itself as the Time Server. If you point it to an Internet based Time Server – in my experience – it tends to be more accurate and time sync issues tend to disappear. My colleague has done this on our AD Server and its relatively painless. Obviously you use the command line:

net time /setsntp:[desired time server dns name or public IP]

The configuration change is not effective immediately, you can manually stop and restart the w32time service:

net stop w32time
net start w32time

Inspect the Event log and w32time process will log the changes or report a failure.

As for internet time servers, strangely Microsoft’s tends to be unreliable. Apple’s is not too bad, MIT have their own of course.

time.euro.apple.com - 17.72.133.45 & 17.72.133.42
time.mit.edu - 18.7.21.144 (you may have to doublecheck this one)
Reply

Kerberos Ticket Renewal Problems

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up