Home Forums OS X Server and Client Discussion Questions and Answers Kerberos login creates ticket, then error.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • June 30, 2008 at 10:11 pm #373274
    dvsjr
    Participant

    Today I setup a third 10.4 server on my network to act as a file server. A DNS entry was created for the server, static IP assigned, and I bound it to our active directory as a standalone server. It pulls users and groups from the Active Directory domain perfectly, and I was able to assign a sharepoint with owner and group from the AD domain. changeip -checkhostname checks out ok. No DNS error, the IP address and DNS match.

    When I attempt to connect to another Mac server (also bound to the Active Directory domain) from this Mac, a kerberos login prompt appears. Once I login, I immediately get an error: “Connection Failed Unknown user, incorrect password, or login is disabled. Please retype the name and password or contact the server’s administrator.” Subsequent attempts show this same error.

    If I open the kerberos utility and destroy the kerberos ticket, reconnect but then bypass the kerberos login (hitting escape) and login using DHX2, I can connect.

    I examined the realm info using the kerberos utility in coreservices, the realm info appears correct, its listed as the same name as my domain but all in CAPS which I believe is correct. (DOMAIN.COM)
    Under the Servers listing I see two of my servers listed, both under kdc with port 88 and both servers under admin with port 749.

    I see a ticket created in ticket cache, and entries under the Tickets below this for each server I attempt to connect to. Any attempt to connect to a Mac server creates a ticket, but with the same error code.

    thanks in advance for your time.

    June 30, 2008 at 10:21 pm #373275
    dvsjr
    Participant

    Addition: I just deleted the realm, and manually recreated it using the exact same info. I connected to a server, at the kerberos prompt I logged in, and it worked (no error.) Connecting to a different server, kerberos worked (ie no credentials were asked for, I was prompted to choose my server share without logging in, as normal.) I don’t see how this is a fix, as the info for the realm I entered is identical to what it was before.

    July 2, 2008 at 1:53 pm #373284
    dvsjr
    Participant

    After getting the error, I deleted and recreated the realm, and this seems to have resolved the issue on the server I was originally working on.
    However, I went to a client Mac that also has been known to have this issue. I opened the kerberos utility from the CoreServices folder, clicked New and created a Ticket Cache.
    the ticket cache format is: (v5) [email protected] I then tried logging into the same server I used with the other Macintosh and it created a ticket in the format of: krbtgt/[email protected] 10:00 and afpserver/[email protected] 10:00 The connection to the server is made, but the shares window is empty. If I destroy the ticket, and connect again without using kerberos the shares appear and connect normally.
    My domain and realm are the same name, I’m not sure where things are breaking here. Thanks for the offer to help me understand it.

    July 2, 2008 at 6:34 pm #373290
    dvsjr
    Participant

    Yes, 10.4 AFP server was the OS I was connecting to, and no, I am the AD admin and we have probably no more than 4-5 groups altogether.

    Another strange test: I used my own 10.4.11 Tiger OS Mac to connect to these servers. (All my Mac servers are still Tiger) I followed the same steps as my most recent post, I opened kerberos, clicked new, typed in my password (REALM.COM was correct) then connected to the server. Again I was connected using SSO but once I mounted the proper share, (this time I could see all the shares) I couldnt open the share, I got an insufficent access privileges error.

    July 2, 2008 at 7:28 pm #373292
    dvsjr
    Participant

    [QUOTE][u]Quote by: MacTroll[/u][p]So to the AFP server logs.

    I’m curious as to if you see any difference between the two different issues when using Kerberos and when using non-Kerb.[/p][/QUOTE]

    Im not sure I follow, as I posted this info before, maybe this isn’t what you are referring to?
    If I connect I am first prompted to login with a kerberos login. If I do that, I get the error. Any subsequent attempts to connect are instant fails, until I delete the ticket using the kerberos utility.
    If I dont use kerberos, but instead cancel it, I am prompted with the DHX2 style login. This works perfectly, and shares show up and mount as they should.

    d

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.