Single Sign On AD tickets not valid

[Kyle]

I am using the 4am-media directions to do sso for afp, smb, and ssh.

I get tickets–tgts and service tickets, but the services don’t accept
the tickets. I set the com.apple.AppleFileServer.plist and the smb.conf
file.

But each service refuses to let me in with my service tickets.

afp gives a message "An AppleShare System Error occurred"

smb says my name or password is not correct, the log.smbd says
"[2004/12/29 11:55:46, 1]
/SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2004/12/29 11:55:46, 2]
/SourceCache/samba/samba-56/samba/source/smbd/server.c:exit_server(558)
  Closing connections"

ssh in verbose shows:
debug3: authmethod_is_enabled gssapi
debug1: Next authentication method: gssapi
debug2: we sent a gssapi packet, wait for reply
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentications that can continue:
gssapi,publickey,password,keyboard-interactive
debug2: we sent a gssapi packet, wait for reply
debug1: Authentications that can continue:
gssapi,publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method

Yet after the connection attempt, I have my service tickets, they just
don’t seem to work. Service tickets DO work for accessing the windows
servers using smb.

Any thoughts on why my service tickets for the wouldn’t work.

Thanks,

Kyle

[Kyle]

Yes, server clock is using the AD server’s time server. As are the client machines.

[s_groening]

have you tried to setup Kerberos Principals in the way described by Michael Bartosh at http://4am-media.com/SSO/ ??

This has helped my AFP SSO situation tremendously — actually that is what made it work

with a correctly populated krb5.keytab file you might have better chances at making it work.

[Author]

Posts