Kerberized Login not working as expected

H

hhuberla

Registered
I'm trying to get my leopard client to access sharepoints on my leopard server using kerberos authentication established at login. I'll list what I have done already bellow:

- OD set up with a username (short and long) and password that is the same as that being used on the client laptop.
- Client laptop is bound to the OD
- modified /etc/authorization: <string>builtin:authenticate,privileged</string> to <string>builtin:krb5authnoverify,privileged</string>

When I log in it accepts my password and allows me into the laptop. The OD logs show that authentication to the server took place (I believe) (username and domain intentionally masked):
Code: 
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: NEEDED_PREAUTH: [email]user@SERVER.xxxx.PRIV[/email] for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV, Additional pre-authentication required
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: NEEDED_PREAUTH: [email]user@SERVER.xxxx.PRIV[/email] for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV, Additional pre-authentication required
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): handling authdata
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): handling authdata
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): .. .. ok
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): .. .. ok
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: ISSUE: authtime 1202564345, etypes {rep=16 tkt=16 ses=16}, [email]user@SERVER.xxxx.PRIV[/email] for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV
Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.1.121: ISSUE: authtime 1202564345, etypes {rep=16 tkt=16 ses=16}, [email]user@SERVER.xxxx.PRIV[/email] for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV

When I try to connect to an AFP sharepoint it again asks my to authenticate. If I authenticate once then I can access any other sharepoints with no problems, however, I'd like to be able to use the kerberos ticket I believe I have from the system login to do this AFP authentication.

Am I missing something here?

Hans
 
Hans,

I've never had the need to modify /etc/authorization by hand to get this to work. Is the AFP server hosted on the OD Master or is that on a secondary server? When you login to the client, what does klist return? Could be that you are not receiving a TGT to start with. Do you have any sort of password caching on (Mobile home or Portable homes?)

Michael
 
Hi and thanks for your response.

Directly after a reboot and login on the client klist shows:
Code: 
klist: No Kerberos 5 tickets in credentials cache

When I try to click on the server under the "Shared" divider in finder on the client it says connection refused. This is what I'd imagine given the above. I'm not sure if it makes a difference but "Connect as" wont accept the OD user credentials.

If I use Command-K to connect to an AFP share on the OD server it works but only with the short name (not the long name) Once I get that connection klist shows:
Code: 
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: user@SERVER.xxxx.PRIV

Valid Starting     Expires            Service Principal
02/10/08 22:03:45  02/11/08 08:03:45  krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV
	renew until 02/17/08 22:03:45
02/10/08 22:03:45  02/11/08 08:03:45  afpserver/server.xxxx.priv@SERVER.xxxx.PRIV
	renew until 02/17/08 22:03:45

Once this is in place all the kerberized stuff seems to work.

To answer your question. I don't believe I have any password caching enabled - The users on OD are added with all the default settings - I've not changed anything on the user accounts on OD yet.

Thanks again - this is my first dabble into OS X Server. I really appreciate your help.

Thanks
Hans
 
Hans,

This means that you are not getting a TGT at login. If you are not familiar, a TGT is a ticket granting ticket, which allows you to access the other Kerberized services in your OD domain.

In your second clip. you can see that you then have a TGT and a service ticket from the AFP server.

Is this server also providing your DNS services? If so, when you setup the server, did you make sure to create the DNS records and start the service before creating the OD Master? Do your servers and clients all have the proper DNS server IP addresses and search domain included in the Networking preferences?

Just a couple of things to look at! Happy to help out!

Michael
 
Hi Michael,

Is the login window in leopard supposed to try to get a TGT by default? I'd changed the /etc/authorization file based on advice found on google.

According the the network setting in System Prefernces (obtained via DHCP) the DNS server is my server's IP and the search domain is the domain xxxx.priv. Is the LDAP part on the DHCP server important? (ie. setting the client's LDAP to point to the server via DHCP).

To answer your above questions: Yes, DNS, OD and AFP are on the same server. I did set up DNS first, however, I'm using a dummy domain xxxx.priv. The server has my router (which does dns forwarding) set up as a DNS forwarder, so I'm able to resolve all other domains.

The setup docs I read said it was vital that DNS worked before trying to set up OD and that a good indication was that it resolved the server name to the correct FQDN. On my setup it did this but only with IPV6 turned off, with IPV6 on it would resolve to the IPV6 hostname of server.local. Could this be the problem?

Thanks again for your advice.

Hans
 
Michael (or any one else reading),

I think I may be one step closer again. I've been reading up on kerberos and specifically TGTs you mentioned. I discovered the kinit command.

If I run kinit it 'guesses' the correct username - I enter my password and all my kerberized stuff works.

Code: 
client$ kinit
Please enter the password for user@SERVER.xxxx.PRIV: 

client$ klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: user@SERVER.xxxx.PRIV

Valid Starting     Expires            Service Principal
02/11/08 20:17:50  02/12/08 06:17:50  krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV
	renew until 02/18/08 20:17:50

So, why does the login window not just initiate kinit or a similar bit of code.

Thanks again

Hans
 
Last edited:
You must log in or register to reply here.
Back
Top