Network user login one one computer broken others work?

[smithsm]

I have one computer that all of a sudden stopped allowing any logins from Network users.
Everything has been working fine for months. No changes to server except a power cycle.
Local users fine. Network users no logins. Login window shakes.
Portable home directory users can login only if not connected to network.
I have tried everything I could find to fix it short of wiping the hard drive and reinstalling.
I remember having this problem once before and deleting the DirectorySevices prefs and redoing the
LDAP3 server setup in Directory access fixed it then but not now.

I would appreciate some advice of where to look to find out why this machine is so recalcitrant.
Other machines on the network do not have the problem, networks users can login just fine.

Client OSX 10.4.10 Mac PB G4 17
Server OSX 10.4.10 Server OD Master

Network users show up in the login window

What I tried:
Deleted contents of /library/preferences/DirectoryService
Deleted contents of /library/managed preferences
Removed LDAP3 server entry in /Applications/Utilities/Directory Access
Using /applications/utilities/netinfo manager
Deleted /mcx_cache
Deleted /config/mcx_cache
sudo /system/library/coreservices/mcxd.app/contents/resources/mcxcacher -F
Password:
DirtyCache(1) == -14136
sudo rm /Library/Caches/com.apple.LaunchServices*.csstore
Deleted /Library/Preferences/com.apple.MCX.plist
Restarted
No network users show up in login window
Setup LDAP3 server in directory access with blank binding
Restarted
Now network users show up in login window but still can’t login

I think its a kerberos problem but nothing looks wrong. The edu.mit.kerberos file on the bad computer looks ok.
I deleted it and it was recreated.
I did a kadmin listprincs on the server and all the users show up. Since I can login from other computers I suspect
something wrong with the bad computer not the server setup. No changes were made just had a power cycle on the server
while the client was connected. Next time tried to authenticate it failed.

[smithsm]

I looked at the Password Server Log and KDC log and there is something odd going on.
For computers where network login works I get the following in the Password Server Log each time a user authenticates

Aug 11 2007 09:22:04 RSAVALIDATE: success.
Aug 11 2007 09:22:04 AUTH2: {0x442c2aba5be330330000000d0000000d, alison} DIGEST-MD5 authentication succeeded.
Aug 11 2007 09:22:04 QUIT: {0x442c2aba5be330330000000d0000000d, alison} disconnected.
Aug 11 2007 09:24:37 RSAVALIDATE: success.

I also get the following in the KDC log but not everytime

Aug 10 16:56:33 server.private krb5kdc[178](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.130: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Aug 10 16:56:33 server.private krb5kdc[178](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.130: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Connection refused

So it appears that Kerberos is not working but network users can still log in. However Kerberos was working vering recently as there
are expired tickets saved in preferences

FOR THE COMPUTER WHERE NETWORK Login does not work I do not get any entries in either the passwork server or kdc log
for failed attempts to login. So it appears that it is not accessing the password server correctly.
How do I debug this or fix it?

[smithsm]

Yes one client machine that isn’t allowing network logins. More interesting, one use with portable home directory can login when
disconnected from network. Then when logging out while connected the logout sync works and an entry shows up in the password server log on the server. So somehow password server was broken for logins but not logouts.

I finally gave up and did a clean install on the client machine (took all weekend) because it was a development machine with all kinds of applications on it. This fixed the problem with network user login but not the kerberos problem.

there is an app note “Kerberos authentication services man not successfully start” that says to use slapconfig and sso_util to get kerberos running. Whill this resync the kerberos passwork database with the opendirectory?

question why once a client network user is logged in does every admin authorization access the server? Every time
a network user with portable home directory and admin priviledges makes a configuration change, it hits the password server
on the server instead of using local authorization. Seems unneccessary and fragile?

[smithsm]

>>- I’m not quite sure what Kerberos issue you’re still seeing? Do you have an actual Kerberos failure, or are you just looking at noise in the logs?

When I use the Kerberos utility on a client machine to try to create a new ticket for a network user I get
“Kerberos login failed: Generic Error (see e-text)”

The kdc log on the server produces the following entry as a result.

Aug 16 10:10:53 server.private krb5kdc[220](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.128: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Aug 16 10:10:53 server.private krb5kdc[220](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.0.2.128: CHECK_PWS_ACCT: [email protected] for krbtgt/[email protected], Connection refused

I get same error whenever a network user logs in.
The only tickets in /library/preferences such as edu.mit.Kerberos.1HEenXabeZGsK0LVFUVcl are old (dating from when kerberos used to work)

Is there some other way to verify that its not working?

My ServerAdmin AFP->Access setting for authentication is Any Method and I have Enable Guest Access, Enable secure connections and Enabled administrator to masquerade…, all checked. So I beleive this allows network users to log in even if
kerberos is not working.

In ServerAdmin OpenDirectory->Overview Lookupd is running, Netinfod is local only, slapd is running, password server is running, Kerberos is running.

the
edu.mit.Kerberos file looks fine to me
# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : /LDAPv3/server.private
# generation_id : 1855478373
[libdefaults]
default_realm = SERVER.PRIVATE
[realms]
SERVER.PRIVATE = {
kdc = server.private
admin_server = server.private
}
[domain_realm]
private = SERVER.PRIVATE
.private = SERVER.PRIVATE

When I listprincs on the server it looks fine to me.

server:admin$ sudo kadmin.local
Password:
Authenticating as principal root/[email protected] with password.
kadmin.local: listprincs
HTTP/[email protected]
K/[email protected]
XMPP/[email protected]
[email protected]
afpserver/[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
ftp/[email protected]
[email protected]
host/[email protected]
http/[email protected]
imap/[email protected]
ipp/[email protected]
[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
ldap/[email protected]
[email protected]
pop/[email protected]
[email protected]
[email protected]
[email protected]
smtp/[email protected]
vpn/[email protected]
[email protected]
xgrid/[email protected]

server:admin$ sudo klist -kt
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
—- —————– ——————————————————–
3 03/30/06 08:34:39 xgrid/[email protected]
3 03/30/06 08:34:39 xgrid/[email protected]
3 03/30/06 08:34:39 xgrid/[email protected]
3 03/30/06 08:34:39 vpn/[email protected]
3 03/30/06 08:34:39 vpn/[email protected]
3 03/30/06 08:34:39 vpn/[email protected]
3 03/30/06 08:34:39 ipp/[email protected]
3 03/30/06 08:34:39 ipp/[email protected]
3 03/30/06 08:34:39 ipp/[email protected]
3 03/30/06 08:34:39 XMPP/[email protected]
3 03/30/06 08:34:39 XMPP/[email protected]
3 03/30/06 08:34:39 XMPP/[email protected]
3 03/30/06 08:34:39 host/[email protected]
3 03/30/06 08:34:39 host/[email protected]
3 03/30/06 08:34:39 host/[email protected]
3 03/30/06 08:34:39 smtp/[email protected]
3 03/30/06 08:34:39 smtp/[email protected]
3 03/30/06 08:34:39 smtp/[email protected]
3 03/30/06 08:34:39 http/[email protected]
3 03/30/06 08:34:39 http/[email protected]
3 03/30/06 08:34:39 http/[email protected]
3 03/30/06 08:34:39 HTTP/[email protected]
3 03/30/06 08:34:39 HTTP/[email protected]
3 03/30/06 08:34:39 HTTP/[email protected]
3 03/30/06 08:34:39 pop/[email protected]
3 03/30/06 08:34:39 pop/[email protected]
3 03/30/06 08:34:39 pop/[email protected]
3 03/30/06 08:34:39 imap/[email protected]
3 03/30/06 08:34:39 imap/[email protected]
3 03/30/06 08:34:39 imap/[email protected]
3 03/30/06 08:34:39 ftp/[email protected]
3 03/30/06 08:34:39 ftp/[email protected]
3 03/30/06 08:34:39 ftp/[email protected]
3 03/30/06 08:34:39 afpserver/[email protected]
3 03/30/06 08:34:39 afpserver/[email protected]
3 03/30/06 08:34:39 afpserver/[email protected]
3 03/30/06 08:34:40 ldap/[email protected]
3 03/30/06 08:34:40 ldap/[email protected]
3 03/30/06 08:34:40 ldap/[email protected]
3 03/30/06 09:53:40 xgrid/[email protected]
3 03/30/06 09:53:40 xgrid/[email protected]
3 03/30/06 09:53:40 xgrid/[email protected]
3 03/30/06 09:53:40 vpn/[email protected]
3 03/30/06 09:53:40 vpn/[email protected]
3 03/30/06 09:53:40 vpn/[email protected]
3 03/30/06 09:53:40 ipp/[email protected]
3 03/30/06 09:53:40 ipp/[email protected]
3 03/30/06 09:53:40 ipp/[email protected]
3 03/30/06 09:53:40 XMPP/[email protected]
3 03/30/06 09:53:40 XMPP/[email protected]
3 03/30/06 09:53:40 XMPP/[email protected]
3 03/30/06 09:53:40 host/[email protected]
3 03/30/06 09:53:40 host/[email protected]
3 03/30/06 09:53:40 host/[email protected]
3 03/30/06 09:53:40 smtp/[email protected]
3 03/30/06 09:53:40 smtp/[email protected]
3 03/30/06 09:53:40 smtp/[email protected]
3 03/30/06 09:53:40 http/[email protected]
3 03/30/06 09:53:40 http/[email protected]
3 03/30/06 09:53:40 http/[email protected]
3 03/30/06 09:53:40 HTTP/[email protected]
3 03/30/06 09:53:40 HTTP/[email protected]
3 03/30/06 09:53:40 HTTP/[email protected]
3 03/30/06 09:53:40 pop/[email protected]
3 03/30/06 09:53:40 pop/[email protected]
3 03/30/06 09:53:40 pop/[email protected]
3 03/30/06 09:53:40 imap/[email protected]
3 03/30/06 09:53:40 imap/[email protected]
3 03/30/06 09:53:40 imap/[email protected]
3 03/30/06 09:53:40 ftp/[email protected]
3 03/30/06 09:53:40 ftp/[email protected]
3 03/30/06 09:53:40 ftp/[email protected]
3 03/30/06 09:53:40 afpserver/[email protected]
3 03/30/06 09:53:40 afpserver/[email protected]
3 03/30/06 09:53:40 afpserver/[email protected]
3 03/30/06 09:53:41 ldap/[email protected]
3 03/30/06 09:53:41 ldap/[email protected]
3 03/30/06 09:53:41 ldap/[email protected]

[smithsm]

>>>So… Kerberos is failing for all network users? Is it working for anyone? Does it fail a kinit done from the server itself?

it fails for all users including kinit done from the server.

So there is supposed to be a CHECK_PWS_ACCT in the list of principles?

[smithsm]

I got it working!
Your comment about the KDC not being able to talk back to the password server gave me a clue as to what was
might be the problem.

I use EIMS for the mail server and EIMS also defaults to using port 106 for its password server. Tiger server lists two different
ports for its password server in its preferences file, 3659 and 106.
The EIMS docs say to remove the conflict by disabling port 106 for tiger server by deleting its entry from /library/preferences/com.apple.passwordserver.plist . It says that this does no harm as tiger server uses the other port.
Apparently this changed with one of the recent updates to Tiger server.
When I reenabled port 106 and rebooted, kerberos started working.
In the past Kerberos worked with port 106 disabled.

So it appears that Kerberos on tiger server uses port 106 to talk to the password server while everything else uses the standard
port 3659.

I will notify EIMS developer to fix his documentation.
I just had to set EIMS’s password server to use a different port.

[Author]

Posts