|
#1
February 9th, 2008, 08:05 AM
| |||
| |||
| Kerberized Login not working as expected I'm trying to get my leopard client to access sharepoints on my leopard server using kerberos authentication established at login. I'll list what I have done already bellow: - OD set up with a username (short and long) and password that is the same as that being used on the client laptop. - Client laptop is bound to the OD - modified /etc/authorization: <string>builtin:authenticate,privileged</string> to <string>builtin:krb5authnoverify,privileged</string> When I log in it accepts my password and allows me into the laptop. The OD logs show that authentication to the server took place (I believe) (username and domain intentionally masked): Code: Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: NEEDED_PREAUTH: user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV, Additional pre-authentication required
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: NEEDED_PREAUTH: user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV, Additional pre-authentication required
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): handling authdata
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): handling authdata
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): .. .. ok
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): .. .. ok
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: ISSUE: authtime 1202564345, etypes {rep=16 tkt=16 ses=16}, user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: ISSUE: authtime 1202564345, etypes {rep=16 tkt=16 ses=16}, user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV Am I missing something here? Hans  |
|
#2
February 10th, 2008, 03:16 PM
| |||
| |||
| Hans, I've never had the need to modify /etc/authorization by hand to get this to work. Is the AFP server hosted on the OD Master or is that on a secondary server? When you login to the client, what does klist return? Could be that you are not receiving a TGT to start with. Do you have any sort of password caching on (Mobile home or Portable homes?) Michael |
|
#3
February 10th, 2008, 04:12 PM
| |||
| |||
| Hi and thanks for your response. Directly after a reboot and login on the client klist shows: Code: klist: No Kerberos 5 tickets in credentials cache If I use Command-K to connect to an AFP share on the OD server it works but only with the short name (not the long name) Once I get that connection klist shows: Code: Kerberos 5 ticket cache: 'API:Initial default ccache' Default principal: user@SERVER.xxxx.PRIV Valid Starting Expires Service Principal 02/10/08 22:03:45 02/11/08 08:03:45 krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV renew until 02/17/08 22:03:45 02/10/08 22:03:45 02/11/08 08:03:45 afpserver/server.xxxx.priv@SERVER.xxxx.PRIV renew until 02/17/08 22:03:45 To answer your question. I don't believe I have any password caching enabled - The users on OD are added with all the default settings - I've not changed anything on the user accounts on OD yet. Thanks again - this is my first dabble into OS X Server. I really appreciate your help. Thanks Hans |
|
#4
February 10th, 2008, 04:39 PM
| |||
| |||
| Hans, This means that you are not getting a TGT at login. If you are not familiar, a TGT is a ticket granting ticket, which allows you to access the other Kerberized services in your OD domain. In your second clip. you can see that you then have a TGT and a service ticket from the AFP server. Is this server also providing your DNS services? If so, when you setup the server, did you make sure to create the DNS records and start the service before creating the OD Master? Do your servers and clients all have the proper DNS server IP addresses and search domain included in the Networking preferences? Just a couple of things to look at! Happy to help out! Michael |
|
#5
February 11th, 2008, 01:58 PM
| |||
| |||
| Hi Michael, Is the login window in leopard supposed to try to get a TGT by default? I'd changed the /etc/authorization file based on advice found on google. According the the network setting in System Prefernces (obtained via DHCP) the DNS server is my server's IP and the search domain is the domain xxxx.priv. Is the LDAP part on the DHCP server important? (ie. setting the client's LDAP to point to the server via DHCP). To answer your above questions: Yes, DNS, OD and AFP are on the same server. I did set up DNS first, however, I'm using a dummy domain xxxx.priv. The server has my router (which does dns forwarding) set up as a DNS forwarder, so I'm able to resolve all other domains. The setup docs I read said it was vital that DNS worked before trying to set up OD and that a good indication was that it resolved the server name to the correct FQDN. On my setup it did this but only with IPV6 turned off, with IPV6 on it would resolve to the IPV6 hostname of server.local. Could this be the problem? Thanks again for your advice. Hans |
|
#6
February 11th, 2008, 02:25 PM
| |||
| |||
| Michael (or any one else reading), I think I may be one step closer again. I've been reading up on kerberos and specifically TGTs you mentioned. I discovered the kinit command. If I run kinit it 'guesses' the correct username - I enter my password and all my kerberized stuff works. Code: client$ kinit Please enter the password for user@SERVER.xxxx.PRIV: client$ klist Kerberos 5 ticket cache: 'API:Initial default ccache' Default principal: user@SERVER.xxxx.PRIV Valid Starting Expires Service Principal 02/11/08 20:17:50 02/12/08 06:17:50 krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV renew until 02/18/08 20:17:50 Thanks again Hans Last edited by hhuberla; February 14th, 2008 at 01:19 AM. |
