Kerberos authenticates but no ticket created?

[pliny]

My OD server is kerberized and dir admin shows Kerberos as running. When I sign on to a client machine, my password server service log gives me something like this:
[b]
[quote]Jul 19 2007 14:26:05 KERBEROS-LOGIN-CHECK: user {0x4697c84d5799a1e80000004a0000004a, tweedledee} is in good standing.
Jul 19 2007 14:26:05 QUIT: {no user} disconnected.
Jul 19 2007 14:26:05 KERBEROS-LOGIN-CHECK: user {0x4697c84d5799a1e80000004a0000004a, tweedledee} authentication succeeded.
Jul 19 2007 14:26:05 QUIT: {no user} disconnected.[/quote][/b]

However, no ticket is created and no ticket visible when I open the Kerberos app. If I try to create a ticket directly via the Kerberos app, the password log again gives me:
[b][quote]
Jul 19 2007 14:52:52 KERBEROS-LOGIN-CHECK: user {0x4697d574196b1d3f0000004b0000004b, tweedledum} is in good standing.
Jul 19 2007 14:52:52 QUIT: {no user} disconnected.
Jul 19 2007 14:52:52 KERBEROS-LOGIN-CHECK: user {0x4697d574196b1d3f0000004b0000004b, tweedledum} authentication succeeded.
Jul 19 2007 14:52:52 QUIT: {no user} disconnected.[/quote][/b]

However, Kerberos App carps: “Kerberos Login Failed: Can’t send request (send_to_kdc)”

Trying to troubleshoot this non-authentication authentication – any ideas where this could be originating, or where my Kerb might be mis-configured?

[pliny]

Two more pieces:

1. From the system log:
[b][quote]
Jul 19 16:21:19 thefly mDNSResponder: ERROR: Only name server claiming responsibility for “_kerberos._udp.THEFLYLOCAL.” is “.”!
Jul 19 16:21:20 thefly mDNSResponder: ERROR: Only name server claiming responsibility for “_kerberos.thefly.” is “.”![/quote][/b]

2. edu.mit.Kerberos that is generated on the client side contains 100% outdated config info. I manually updated it before the previous post in this thread. But the fact that this bad edu.mit is being created means that I still have bad config info somewhere on the server side.

Is it possible to “re-kerberbize” my OD? Can I trash my Kerberos domain with the Kerberos.app tool and start over? Or is that a really bad idea?

[pliny]

Thanks for the reply. I turned on Inspector in the WGM and hacked a few XML files under Config -> KerberosKDC to correctly push edu.mit to client machines. Thanks!

Before I go further (authentication problems persist) I want to make sure I’m doing this for the right reasons – in short, I believe I need Kerberos in order to automount share points on client machines _with_ authentication. This will allow clients, freelancers, staff, etc. to immediately access project folders that I control via ACLs, etc.

I understand that I must enable guest access for automounts or else enable Kerberos authentication. Correct?

[pliny]

[QUOTE][Two ways to do this […] or to use WGM to set up sharepoints as login items.[/p][/QUOTE]

I had previously abandoned this path because I cannot (still) for the life of me figure out how to add Mounts to Login Items beyond the available checkbox items. Anything I browse to via “Add…” is treated as a folder. (Love to know if I am missing something here.)

My kludge is to make my desired automount a group share point and to add it to Login Items with the “Add Group Share Point” option – works, even though it is a limiting, imperfect solution.

Can I add Volume Mounts arbitriarily? Or am I limited to “User Home” and “Group Home”?

Thanks again Joel.

[Author]

Posts