Kerberos borks on packet type 34

[honestpuck]

Here’s the setup

server_a is a perfectly working KDC running 10.3.4 Server that has no problems. I can use single signon to my hearts content with it.

server_b is running 10.3.4 (not Server) and I want to be able to single sign on to it.

I use kinit to get myself a ticket from the KDC. That works and I now have a ticket (checked with klist). I then do an ssh to server_a. That works and I now have a host ticket for server_a.

I try and use ssh to log on to server_b. It fails with “Disconnecting: Protocol error: didn’t expect packet type 34” but a klist tells me that I now have a host ticket for server_b. I get an identical error if I try using ‘sftp’ instead of ‘ssh’.

Anybody seen this before?

Tony

[honestpuck]

Joel,

No, server_b is not a KDC. I only want to run the one KDC.

I figured out the problem. I’d created the principals for server_b on server_b so the keytabs on the two machines were different. Creating the principals on server_a and then copying the keytab from server_a to server_b fixed it.

Doco is a bit thin on the ground for this sort of thing. I’m going to have to write it up myself, I think. <g>

Works a charm.

Tony

[Anonymous]

what do you mean by “keytab” ?

thanks.

~!>D

[Anonymous]

mn time was off between servers..

machine:~ cdowns$ ps ax | grep ntpd
1068 ?? Ss 0:00.01 ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
1163 std R+ 0:00.01 grep ntpd
machine:~ cdowns$

## kill and restart ntpd
sudo kill -9 1068 ; ntpdate -s tick.mit.edu
sudo ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid &

that fixed it.. time was off by almost 5 minutes between servers.

~!>D

[honestpuck]

[QUOTE BY= cdowns] what do you mean by "keytab" ?

thanks.

~!>D[/QUOTE]

The keytab is where KDC stores all the principals and keys for the various machine/service combinations. On OS X it can be found at /etc/krb5.keytab

Joel’s two excellent articles on Kerberos explain it all, you can find them in the ‘Old Articles’ section.

Tony Williams

[Anonymous]

[QUOTE BY= honestpuck] Here’s the setup

server_a is a perfectly working KDC running 10.3.4 Server that has no problems. I can use single signon to my hearts content with it.

server_b is running 10.3.4 (not Server) and I want to be able to single sign on to it.

I use kinit to get myself a ticket from the KDC. That works and I now have a ticket (checked with klist). I then do an ssh to server_a. That works and I now have a host ticket for server_a.

I try and use ssh to log on to server_b. It fails with “Disconnecting: Protocol error: didn’t expect packet type 34” but a klist tells me that I now have a host ticket for server_b. I get an identical error if I try using ‘sftp’ instead of ‘ssh’.

Anybody seen this before?

Tony[/QUOTE]

Yes, I have that too. I just appears, when you have more than one KDC in your network.
You get a Kerberos TGT from one server (Win-KDC for example, when you logged in as AD-user) and try to authenticate to the Mac-KDC. ssh to the Mac-KDC means that kerberos-authentication is tried before ssh-key or password.

Easy solution: check your tickets in terminal (with “klist”). If you have some destroy them all or only the one for the Mac-KDC.

Good solution: try to configure a cross-realm with your 2 KDCs (this will take you a couple of days to understand Kerberos properly; but it#s not wasted time, if you’re an admin).

[Author]

Posts