mn time was off between servers..

machine:~ cdowns$ ps ax | grep ntpd
1068 ?? Ss 0:00.01 ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
1163 std R+ 0:00.01 grep ntpd
machine:~ cdowns$

## kill and restart ntpd
sudo kill -9 1068 ; ntpdate -s tick.mit.edu
sudo ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid &

that fixed it.. time was off by almost 5 minutes between servers.

~!>D

[QUOTE BY= honestpuck] Here’s the setup

server_a is a perfectly working KDC running 10.3.4 Server that has no problems. I can use single signon to my hearts content with it.

server_b is running 10.3.4 (not Server) and I want to be able to single sign on to it.

I use kinit to get myself a ticket from the KDC. That works and I now have a ticket (checked with klist). I then do an ssh to server_a. That works and I now have a host ticket for server_a.

I try and use ssh to log on to server_b. It fails with “Disconnecting: Protocol error: didn’t expect packet type 34” but a klist tells me that I now have a host ticket for server_b. I get an identical error if I try using ‘sftp’ instead of ‘ssh’.

Anybody seen this before?

Tony[/QUOTE]

Yes, I have that too. I just appears, when you have more than one KDC in your network.
You get a Kerberos TGT from one server (Win-KDC for example, when you logged in as AD-user) and try to authenticate to the Mac-KDC. ssh to the Mac-KDC means that kerberos-authentication is tried before ssh-key or password.

Easy solution: check your tickets in terminal (with “klist”). If you have some destroy them all or only the one for the Mac-KDC.

Good solution: try to configure a cross-realm with your 2 KDCs (this will take you a couple of days to understand Kerberos properly; but it#s not wasted time, if you’re an admin).