Keberos with Mac OS X (10.2)
timothy perfitt
tperf at twocanoes.com
Tue Sep 17 14:44:14 EDT 2002
I am attempting to set up a small test network to get Kerberos working
on Mac OS X (10.2) and Mac OS X Server (10.2). I have searched the
archives and have not found any reference to the errors I am getting or
specific setup on OS X Server (10.2). I am new to Kerberos, so please
forgive me if I use some of the terminology incorrectly.
I am using Windows 2000 Server as the KDC, and am successfully
authenticating to the KDC and getting my krbtgt ticket. However, I am
now trying to set up Mac OS X Server to provide ftp/Mail/AFP services
using Kerberos authentication, but keep getting errors like this on the
server whenever I attempt to connect from the client to the server:
Sep 17 2002 01:16:18 Major Error (1): Miscellaneous failure
Sep 17 2002 01:16:18 Minor Error (1): No principal in keytab
matches desired name
My question is this: does the name of a service, ie ftpd, have to be
part of the principal name of the service (ie
ftpd/somehost.foo.com at FOO.COM)? Do I even need a service key in
krb5.keytab on the server? My understanding is that Kerberos provides
assurance that a specific user on a specific host is authorized to
connect to a specific server. I believe this means that I would only
need a key for the host, ie host/jagserver.foo.com at FOO.COM in the
krb5.keytab on the server. However, I continue to receive the error
messages above. I can get a primary key from both OS X client and
Server, using kinit, but cannot connect from client to server (with
kerberized apps such as Mail, ftp, etc) using kerberos authentication.
I have a DNS setup correctly so that all reverse lookups return the
FQDN, and forward lookups return the correct IP.
Any ideas?
Timothy Perfitt
More information about the Kerberos
mailing list