SSO and Kerberos not working with AFP

[robinson]

I have my Leopard Server running. Everything seems to work fine. I have my clients (10.4.11) running with network home folders. If I do something like

sudo klist -k | grep afpserver

I get the answer that kerberos have tickets for that

3 afpserver/LKDC:SHA1.BA5B742F476AE79129075CCDBB2E4D40D91F82A7@LKDC:SHA1.BA5B742F476AE79129075CCDBB2E4D40D91F82A7
3 afpserver/LKDC:SHA1.BA5B742F476AE79129075CCDBB2E4D40D91F82A7@LKDC:SHA1.BA5B742F476AE79129075CCDBB2E4D40D91F82A7
3 afpserver/LKDC:SHA1.BA5B742F476AE79129075CCDBB2E4D40D91F82A7@LKDC:SHA1.BA5B742F476AE79129075CCDBB2E4D40D91F82A7
3 afpserver/[email protected]
3 afpserver/[email protected]
3 afpserver/[email protected]

But now my problem. I try to enable kerberos authentification as the only possibility on AFP service and then the clients log in as guests without getting a ticket.
How to enable them to get a kerberos ticket?

If I enable other authentification on AFP service, it works fine and I can get tickets for example if I launch Mail and it asks for my kerberos password.

[robinson]

After a few tests I know something more. I tried with a Leopard client and get a Kerberos ticket.
Then I installed a fresh Tiger 10.4.3 (had no time to update to 10.4.11, hope doesn’t matter) to a new disk: no Kerberos ticket.
Is it a generally problem with this combination – Tiger client, Leopard server?

[flowctrl]

Check the Kerberos principal in your AFP settings using the ’serveradmin’ command:

[code]sudo serveradmin settings afp:kerberosPrincipal[/code]

It should match the afpserver principal that is listed in your keytab file:

[code]klist -kt | grep afpserver
afpserver/[email protected]
…
[/code]

If not, you can set it using serveradmin:

[code]serveradmin settings afp:kerberosPrincipal = afpserver/[email protected]
[/code]

It should echo the value after the ‘=’ back to you.

[Author]

Posts