OS X 10.4.2 kdestroy problem - Kerberos

This is a discussion on OS X 10.4.2 kdestroy problem - Kerberos ; Has anyone run into this? We have edited /etc/authorization and set builtin:krb5authenticate,privileged in place of authinternal for system.login.console. This allows us to log into the system with a valid Kerberos password. However, in 10.4.2 when we run kdestroy, kinit will ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: OS X 10.4.2 kdestroy problem

  1. OS X 10.4.2 kdestroy problem

    Has anyone run into this?

    We have edited /etc/authorization and set
    builtin:krb5authenticate,privileged in place of authinternal for
    system.login.console. This allows us to log into the system with a
    valid Kerberos password.

    However, in 10.4.2 when we run kdestroy, kinit will no longer work:

    drwmac:~ drwachd$ /usr/bin/klist
    Kerberos 5 ticket cache: 'API:Initial default ccache'
    Default principal: drwachd@dce.sandia.gov

    Valid Starting Expires Service Principal
    07/19/05 11:20:43 07/19/05 21:20:42
    krbtgt/dce.sandia.gov@dce.sandia.gov
    renew until 08/02/05 11:20:42

    klist: No Kerberos 4 tickets in credentials cache
    drwmac:~ drwachd$ /usr/bin/kdestroy
    drwmac:~ drwachd$ /usr/bin/kinit
    Please enter the password for drwachd@dce.sandia.gov:
    Kerberos Login Failed: Credentials cache server unavailable
    drwmac:~ drwachd$

    If we login with a local (not Kerberos) password, type kinit then
    kdestroy, then kinit - it works fine.

    Any ideas as to the problem?

    -dan
    --------------------------------------
    Daniel Wachdorf
    drwachd@sandia.gov
    Sandia National Laboratories
    Cyber Security Technologies
    505-284-8060

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: OS X 10.4.2 kdestroy problem


    The problem here is that the Mach-IPC based CCacheServer (which
    stores your tickets) gets registered as root by launchd. There is
    special code in the login process which tells the first instantiation
    of the CCacheServer to run as the user. However when you destroy
    your tickets and get new ones, launchd launches the second
    CCacheServer (and all future ones) as root and thus you don't have
    access to your ticket cache.

    Apple is aware of this problem and is working with MIT to resolve
    it. Unfortunately there is currently no workaround other than to not
    enable Kerberos at login.


    On Jul 19, 2005, at 1:24 PM, Wachdorf, Daniel R wrote:

    > Has anyone run into this?
    >
    > We have edited /etc/authorization and set
    > builtin:krb5authenticate,privileged in place of authinternal for
    > system.login.console. This allows us to log into the system with a
    > valid Kerberos password.
    >
    > However, in 10.4.2 when we run kdestroy, kinit will no longer work:
    >
    > drwmac:~ drwachd$ /usr/bin/klist
    > Kerberos 5 ticket cache: 'API:Initial default ccache'
    > Default principal: drwachd@dce.sandia.gov
    >
    > Valid Starting Expires Service Principal
    > 07/19/05 11:20:43 07/19/05 21:20:42
    > krbtgt/dce.sandia.gov@dce.sandia.gov
    > renew until 08/02/05 11:20:42
    >
    > klist: No Kerberos 4 tickets in credentials cache
    > drwmac:~ drwachd$ /usr/bin/kdestroy
    > drwmac:~ drwachd$ /usr/bin/kinit
    > Please enter the password for drwachd@dce.sandia.gov:
    > Kerberos Login Failed: Credentials cache server unavailable
    > drwmac:~ drwachd$
    >
    > If we login with a local (not Kerberos) password, type kinit then
    > kdestroy, then kinit - it works fine.
    >
    > Any ideas as to the problem?
    >
    > -dan
    > --------------------------------------
    > Daniel Wachdorf
    > drwachd@sandia.gov
    > Sandia National Laboratories
    > Cyber Security Technologies
    > 505-284-8060
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    --lxs

    Alexandra Ellwood
    MIT Kerberos Development Team



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread