Verify Kerberos functionality?

T

Trilithon

Registered
My OS X Server (10.4.3) in connected to a directory system (AD) for authenticating our AD users to a Samba share on the OS X Server.
I've joined it to our AD using the AD admin account.

I've recently noticed several entries in the "Windows File Service log" on the OS X server that says "Failed to verify incoming ticket!"

Is there a way to verify if Kerberos is configured correctly and running as it should?

Regards
T
 
maybe try the kinit command with severals users to see if it works correctly

see also the edu.mit.kerberos file and dns

only suggestions
 
Couple things to look at.

First and foremost, you'll need to be sure that you have proper forward and reverse DNS lookups. After binding in the OS X Server to the AD, go into the Open Directory service in Server Admin and join the Kerberos.

Why not just test to see if the Kerberos ticket is accepted? Login as an AD user at loginwindow and attempt to connect to the OS X Server. If your not using AD logins at the client, use kinit to grab a Kerberos ticket or go into /Library/CoreServices and use the Kerberos application. If you get into the server without having to authenticate, you should be ok. You could use the same Kerberos application to see that you get a service ticket from the OS X Server. You could also use klist.

Hope this helps! :)

Michael
 
Thanks for your input!

However, when I bind my OS X server to the AD and go to "Open Directory" the popup window doesn't show any realms to join. It just says "null(default)" in the drop-down list.

Even further, lets say that after I bind to the AD and save the changes by clicking "save", the "join kerberos" button disappears leaving me no option to join at all.

Any thoughts on this?

/T
 
Oh, sorry but I forgot to mention that the DNS lookups is working like a sharm.

I ran the "kinit" command in the CLI and was prompted for a password for the particular user. Then I ran klist to verify if I'd gotten a ticket which I indeed had.

I also tried to browse from my XP box to a share on the OS X server without any problems (meaning no auth request to access) so it seems like Krb is running fine.

Still, I can't get rid of the feeling that something isn't quite right... :confused:

Anyhow, I'd still appreciate some input on the problems descibed in my previous post above.

/T
 
The Join Kerberos button disappears after you join kerberos.

How did you test the DNS lookups?

Are you sure your AD is setup properly?

Michael
 
The last of realms to join is a pretty clear indication that your DNS isn't correctly configured.

At one point was your server configured as an OD master? That can cause some strangenes like that. I'd look at the TGT you are getting from the AD server and see if you can resolve that from the Mac OS Server. Otherwise, disconnect your server from AD, make it a standalone, reboot, then joing again and see what transpires.







Trilithon said:
Thanks for your input!

However, when I bind my OS X server to the AD and go to "Open Directory" the popup window doesn't show any realms to join. It just says "null(default)" in the drop-down list.

Even further, lets say that after I bind to the AD and save the changes by clicking "save", the "join kerberos" button disappears leaving me no option to join at all.

Any thoughts on this?

/T
Click to expand...
 
Ok, first and formost, I'd like to thank you for putting some effort in to this.
It really helps to have guys like you when trying to improve the somewhat limited skills I have in the Mac world, beeing that I come from the PC world.

Some backgroung to maybe clear things up a bit:

I was recently hired as a network admin at this company (located in Gothenburg, Sweden) where I inherited an ActiveDirectory based windows network that had been run by numerous consultants over the years, leaving me a pretty messed up network with almost no documentation. We have a PrePress department with about 10 Mac clients (Tiger) and one Xserve +one XserveRaid box. The rest of the network is about 20 windows servers and about 40 win clients. As mentioned earlier, I have very limited skills in the Mac (and unix) world.

There are 2 DC's and an AD integrated DNS.

Now to your questions:

From a CLI on the XServe I ran nslookup "DC servername" which actually returned a failure. But then I ran the same command but used the servers FQDN and that worked fine. I then did the same with the IP address and that returned fine as well, so I didn't suspect any DNS errors even thou I did get an error at first.

I also tried it using the "host" command giving me the exact same results as in the nslookup test. I do have a problem with the Xserve showing up in the windows browser lists even thou I configured the server to register with our WINS server.

The AD itself isn't reporting any failures and all my win clients and servers are working fine. I can't find a single error in my win2k server logs except from the Xserve computer account failing to logon to the domain every 6 hours.
I thought that unbinding, delete domain computer account and then binding again would solve that but it didn't.

My questions:

By TGT I suppose you mean the Ticket Granting Ticket, and if so how do I view that?

Do I have to reboot the server after unbinding and before binding again?

From reading the manuals I figured that I first had to join the AD and then go in to Open Directory and select "Join Kerberos". But right after binding I click save in the Directory Access dialog and when that dialog closes the Join Kerberos button dissappears. Is Kerberos joined automagically by binding to AD? If I just close the Directory Access dialog without hitting the save button, I do have the option to click "join Kerberos" button, but my AD domain isn't listed (see above post).

Again, thanks alot for your time.

Regards
T
 
To see the TGT, use the klist command in the terminal. If you have one, it'll be listed there. If not, try using kinit with an AD username and password to initiate a request for one, then klist to see the response you have received.

In fact, if this server is being set up for AD Kerberos use, you should be able to use:

sudo klist -kt

on the server to dump out the kerberos service principals from the created kebreros keytab file. If this doesn't look right, Kerberos will fail as well.

You also could put directoryservice into debug mode and poke around a bit. If all else fails, Sweden is a nine hour flight from Chicago! ;)

Let me know what your results are! :)
 
Go3iverson said:
To see the TGT, use the klist command in the terminal. If you have one, it'll be listed there. If not, try using kinit with an AD username and password to initiate a request for one, then klist to see the response you have received.

In fact, if this server is being set up for AD Kerberos use, you should be able to use:

sudo klist -kt

on the server to dump out the kerberos service principals from the created kebreros keytab file. If this doesn't look right, Kerberos will fail as well.

You also could put directoryservice into debug mode and poke around a bit. If all else fails, Sweden is a nine hour flight from Chicago! ;)

Let me know what your results are! :)
Click to expand...

Well thats a pretty long flight now wouldn't you say? And I would certainlly not ask you to risk your life by coming here since it's common knowledge that we've got maneating polar bears hanging around every streetcorner... :)

Now to the results:
Note that I've exchanged the actual names in the results below.
This is the output from running "kinit administrator" and then "klist":

Valid Starting Expires Service Principal
03/25/06 19:47:48 03/26/06 06:47:40 krbtgt/DOMAINNAME.SE@DOMAINNAME.SE
renew until 04/01/06 20:47:48

This indicates to me that kerberos is functioning.

I then ran "sudo klist -kt" and this is the result:

SERVERNAME:/etc/bkupexec admin$ sudo klist -kt
Password:
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
0 03/25/06 18:00:03 afpserver/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 afpserver/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 afpserver/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 ftp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 ftp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 ftp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 imap/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 imap/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 imap/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 pop/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 pop/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 pop/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 HTTP/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 HTTP/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 HTTP/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 http/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 http/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 http/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 smtp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 smtp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 smtp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 host/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 host/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 host/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 cifs/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 cifs/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 cifs/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 xmpp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 ipp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 ipp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 xmpp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 vpn/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 vpn/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 xmpp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 xgrid/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 xgrid/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 servername$@DOMAINNAME.SE
0 03/25/06 18:00:03 servername$@DOMAINNAME.SE
0 03/25/06 18:00:03 servername$@DOMAINNAME.SE
0 03/25/06 18:00:03 ipp/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 vpn/servername.domainname.se@DOMAINNAME.SE
0 03/25/06 18:00:03 xgrid/servername.domainname.se@DOMAINNAME.SE

Since I'm not a Kerberos über guru, I really don't know what to look for in this output that would indicate an error. Maybe you could give me a hint?

Thanks
T
 
That looks pretty good to me. To double check, I ran the commands against my OD Master and found that all to be mostly the same. I don't have a servername$@DOMAINNAME.SE entry, but you are binding into AD, so this is probably the computer account record for that.

Things look good on that front....hmmm.

I'm going to send you a PM in a couple :)
 
just been reading into this and looking for a solution myself.
I have a server running 10.4.11, used to be an OD master, put it back to standalone, then bind it to AD.
When i went into server admin and hit the join kerberos button, it would say null.
if i rebooted the machine and went back into server admin, the join kerberos button would be gone.

The problem was that the server used to be an OD master, so doesnt matter what you do, it will never be able to join the AD kerberos realm, unless you do a clean install.

Re installed the OS, ran updates up to 10.4.11, binded to AD (using AD DNS address as the dns address for the server)
rebooted
go into server admin and click the join kerberos button, now it allows me to select the domain that i have just binded the server to.
enter in credentials, rebooted once again, and when i go into WGM it populates with the AD users and groups.
 
You must log in or register to reply here.
Back
Top