Kerberos pop service principal missing for email

[Anonymous]

Now that Panther has been out for a while I am hoping somone has enough experience with it to help me with this problem. I asked this question a couple of months ago but got not response. I assume it was because no one had yet looked at this. I installed a fresh copy of Panther server and have most everything working except email.

When I try to get mail from my POP server, which is set up for Kerberos authentication (I’m running Open Directory master), the mail log shows the error message:

No service principal found for: pop_principal

Unfortunately, I cannot get any of the kadmin tools to work so I cannot add that principal myself (although I wonder why it was not created automatically by the installer). None of the Kerberos files are in any of the expected places (or anywhere I can find either). Obviously, they exist somewhere since Kerberos authentication is working for Open Directory but not where they should be (/var/db/krb5kdc or /etc/krb5*).

I am at my wits end trying to find how Kerberos was implemented under Panther so I can fix this. Can someone please help me out? TIA.

[Anonymous]

As I said in my orignal message there is no /etc/krb5*. Panther apparently puts everything somewhere else that I can’t find. klist, kadmin.local all fail.

[Anonymous]

Thanks for the replies.

Why was the Kerberos environment (as opposed to the KDC) not set up with the install? It is working now with Open Directory. How do I set up the environment without breaking Open Directory? Where is this documented?

[Anonymous]

Hmmm. OK, I decided to take the chance of screwing up my Open Directory and followed the steps in your article. It would seem that my impression that Open Directory uses Kerberos was mistaken as there seems to be no relationship between the two. It appears I have a working KDC but now I need to somehow connect it to Open Directory. When I log in on the client machine, I expected to see some tickets. However, when I fire up ‘Kerberos’ on the client there are no tickets. How did I get logged in to Open Directory with no tickets?

While your article was very informative (why this was not documented by Apple in the Panther server setup is a mystery) it does not explain the connection between Open Directory and the KDC.

Do I need to reboot my server to get this to connect?

[Anonymous]

Thanks for helping the mud settle a little but it is still far from clear to me.

So the user/password for logging on to the Open Directory is, indeed, independent from the KDC? That was one of my big stumbling blocks as I thought they were the same and there was nothing in the documentation that indicated otherwise. It certainly explains why I could not find the KDC before following your procedure.

If I understand, the next time I reset a user’s password (or if the user is forced to change their own password?) the user will show up in the KDC?

In order for me to tell the clients they are in a Kerberized environment, I have to go to each client machine and set up the edu.mit.kerberos file? Ugh! Is there a way to automate this (keeping in mind the users are computer illiterate)?

I do have a little Kerberos knowledge but under Unix only. How do I set the relm for Open Directory? I cannot find any place in server admin that talks about that. Does not the KDC relm and Open Directory relm have to be set the same in order to be sync’ed?

[Anonymous]

With a little experimentation I think I answered most of my own questions in the positive. I still need to figure out how to run ‘kerberosutoconfigure’ on all my clients. Also OD is apparently independent of relm as my relm seems to work. Now we can get back to my original problem wiht email although it is quite different now.

When I attempt to authenticate I get prompted for my Kerberos password and using ‘Kerberos’ I can see the ticket. Clearly that much is working. Unfortuately, I still cannot connect to the mail server. When I look in the log, I see the following error messages:

Jan 29 13:23:44 XserveONE pop3d[25534]: Major Error (1): A token was invalid (gss_accept_sec_context)
Jan 29 13:23:45 XserveONE pop3d[25534]: Minor Error (1): Token header is malformed or corrupt (gss_accept_sec_context)
Jan 29 13:23:45 XserveONE pop3d[25534]: Major Error (1): A token was invalid (gss_accept_sec_context)
Jan 29 13:23:45 XserveONE pop3d[25534]: Minor Error (1): Token header is malformed or corrupt (gss_accept_sec_context)
Jan 29 13:23:48 XserveONE pop3d[25534]: badlogin: [130.205.111.239] GSSAPI

Obviously I still have something wrong. Can you still help?

[Anonymous]

Problem solved. A reboot cleared it up. Looks like OS X is taking a page right out of the Windows book. 😈

[Author]

Posts