kerberos oddities

[bustthis]

i was forced to do a complete reinstall of 10.3.4 server over the weekend… now kerberos acts a little weird. on my previous installation, i did not have dns setup, so kerberos needed to be setup manually and worked great. with the new install – kerberos “just worked” after setting up dns and promoting to a od master. 🙂

first, i noticed that when my hostname from localhost to myserver’s name, during the periodic daily mainetence – i would get errors saying kerberos couldn’t bind to port 749 – address already in use, etc… i had to change the watchdog.conf to –
# DEFAULTS
#kadmind:respawn:/usr/sbin/kadmind -passwordserver
#kdc:respawn:/usr/sbin/krb5kdc
#NEW
kadmind:respawn:/usr/sbin/kadmind -passwordserver -nofork
kdc:respawn:/usr/sbin/krb5kdc -n

this fixed that problem, but now i am getting multiple tickets issued to me for krbtgt and imap for the same user, is this normal behavior?

[bustthis]

2 krbtgts for the same user… i remember on my last setup, tickets were issued as they were needed and if they weren’t expired. now, i get them all the time… mostly for krbtgt and imap… kerberos app lists 2 imap tickets for same user.

i also notice that the case changes after i get a new krbtgt ticket from [email protected] to [email protected]… not sure if this makes a difference or not?

[bustthis]

ok, let me ask a lame question… i have mail.app set up for 3 imap accounts on a 10.3.4 client. all 3 accounts are users that live in ldap/127.0.0.1 on the server – all are set to use gssapi k5 for smtp and imap.

i get 3 imap tickets for “user 1” when checking mail for 3 different users – does this make sense? shouldn’t i be getting tickets for “user1” “user2” and “user3”? am i way off track?

[bustthis]

any recomendations on better krb mail client? i don’t like eudora!

this only happens from time to time – i get 3 imap tickets for the user thats logged in… haven’t seen anyone else talk about this problem.

maybe this is a new post, sorry…

i am reading this now: http://web.mit.edu/macdev/KfM/Common/Documentation/preferences-osx.html#quickguide

i don’t seem to have /etc/krb5.conf… i guess /var/db/krb5kdc/kdc.conf
is being used, the reason i am asking is because i would like to see some of the logs associated with kerberos. i have the following lines in:
[logging]
kdc = FILE:/var/log/krb5kdc/kdc.log
admin_server = FILE:/var/log/krb5kdc/kadmin.log

but no .logs are being created, do i need to add a line to the /etc/syslog?

hopefully, if enough people report the mail.app bug to apple they will update it.

thanks for your help

[honestpuck]

bustthis,

If you go to the KDC machine and do a plain ‘sudo klist’ what exactly are the tickets you’re seeing.

I had a problem similar to this when the KDC was on a machine with two DNS names and the realm was not the canonical one. A principal list showed that it had principals for both names and it sometimes issued duplicate tickets.

Tony

[bustthis]

% sudo klist
Password:
Kerberos 5 ticket cache: ‘API:Initial default ccache’
Default Principal: [email protected]
Valid Starting Expires Service Principal
07/01/04 00:19:02 07/01/04 10:19:02 krbtgt/[email protected]
renew until 07/08/04 00:19:02

% sudo klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
—- —————– ——————————————————–
3 06/02/04 04:16:40 host/[email protected]
3 06/02/04 04:16:40 host/[email protected]
3 06/02/04 04:16:40 host/[email protected]
3 06/02/04 04:16:40 smtp/[email protected]
3 06/02/04 04:16:40 smtp/[email protected]
3 06/02/04 04:16:40 smtp/[email protected]
3 06/02/04 04:16:40 pop/[email protected]
3 06/02/04 04:16:40 pop/[email protected]
3 06/02/04 04:16:40 pop/[email protected]
3 06/02/04 04:16:40 imap/[email protected]
3 06/02/04 04:16:40 imap/[email protected]
3 06/02/04 04:16:40 imap/[email protected]
3 06/02/04 04:16:40 ftp/[email protected]
3 06/02/04 04:16:40 ftp/[email protected]
3 06/02/04 04:16:40 ftp/[email protected]
3 06/02/04 04:16:40 afpserver/[email protected]
3 06/02/04 04:16:40 afpserver/[email protected]
3 06/02/04 04:16:40 afpserver/[email protected]

if i leave my mail.app open for a few days, i start getting error messages… bad login and TOKEN errors.

[honestpuck]

Well all that looks hunky dory.

Hmmmm.

Are you getting the first ticket from Mail.app or at login? That ticket list you show there has no service tickets so I assume that was just at login as otherwise you’d have a pop or imap ticket.

What do the tickets look like when the kerberos app is reporting two tickets for the same user?

Have you tried multiple logins with ssh or sftp to see if they generate the same problem?

Just trying to think of ways of isolating exactly what part of the system is generating the problem.

Tony

[bustthis]

i’m sorry, that was from the server… i see the problem with the client i use everyday, so here it is from the client:
[workstation1:~] charlesx% sudo klist
Password:
Kerberos 5 ticket cache: ‘API:Initial default ccache’
Default Principal: [email protected]
Valid Starting Expires Service Principal
07/01/04 02:32:54 07/01/04 12:32:54 krbtgt/[email protected]
renew until 07/08/04 02:32:54
07/01/04 02:32:57 07/01/04 12:32:54 afpserver/[email protected]
renew until 07/08/04 02:32:54
07/01/04 02:34:10 07/01/04 12:32:54 imap/[email protected]
renew until 07/08/04 02:32:54
07/01/04 02:35:10 07/01/04 12:32:54 host/[email protected]
renew until 07/08/04 02:32:54
07/01/04 03:52:18 07/01/04 12:32:54 smtp/[email protected]
renew until 07/08/04 02:32:54

obiviously, i don’t have 3 imap tickets in this example, but i usually get 2 or 3 imap tickets for user charlesx, when 3 different users log in from mail.app
it seems to happen if i need to reboot the client after a few days and i first launch mail.app. i find if my client is up for a week, i start getting bad login errors and TOKEN – malformed etc…

i haven’t seen this behavior in ssh, sftp, or smtp… however, when i ssh into the server, i get unknown_pid errors that i guess are sshd related. if i use a ssh or sftp gui, like fugu or rbrowser i get 4 to 5 krbtgt tickets, but i guess that’s normal… i don’t know.

[bustthis]

okay, here is a example of when i am issued 3 tickets for imap…

Kerberos 5 ticket cache: ‘API:Initial default ccache’
Default Principal: [email protected]
Valid Starting Expires Service Principal
07/01/04 15:04:56 07/02/04 01:04:54 krbtgt/[email protected]
renew until 07/08/04 15:04:54
07/01/04 15:04:54 07/02/04 01:04:52 afpserver/[email protected]
renew until 07/08/04 15:04:52
07/01/04 15:05:45 07/02/04 01:04:52 imap/[email protected]
renew until 07/08/04 15:04:52
07/01/04 15:05:45 07/02/04 01:04:52 imap/[email protected]
renew until 07/08/04 15:04:52
07/01/04 15:05:45 07/02/04 01:04:52 imap/[email protected]
renew until 07/08/04 15:04:52

i noticed last nite, that one of my network users was issued 2 krbtgt and 2 afp tickets upon logging in, other than that, i haven’t seen anything that helps me figure out this problem.

[honestpuck]

That is wierd. You’re getting three tickets all at the same time.

Why are you not getting host names in your tickets? I think you’ve got something wrong with your setup.

My tickets on a client look like this

klist
Kerberos 5 ticket cache: ‘API:Initial default ccache’
Default Principal: [email protected]
Valid Starting Expires Service Principal
06/25/04 11:28:55 06/25/04 21:28:55 krbtgt/[email protected]
renew until 07/02/04 11:28:55
06/25/04 11:29:19 06/25/04 21:28:55 host/[email protected]
renew until 07/02/04 11:28:55
06/25/04 11:34:32 06/25/04 21:28:55 afpserver/[email protected]
renew until 07/02/04 11:28:55

Notice how I’ve got the server name on both sides of the service tickets and on the right side of the login ticket. You’re missing that and this makes me suspect something seriously wrong with the setup.

Check your edu.mit.Kerberos file and then blow away the keytab file and /var/db/krb5kdc directory and build it from scratch by hand.

Tony

[bustthis]

i do get a server hostname like server.mydomain.com, i just put mydomain.com, for the example.

[Author]

Posts