Keberos with Mac OS X (10.2)

timothy perfitt tperf at
Tue Sep 17 14:44:14 EDT 2002

I am attempting to set up a small test network to get Kerberos working 
on Mac OS X (10.2) and Mac OS X Server (10.2).  I have searched the 
archives and have not found any reference to the errors I am getting or 
specific setup on OS X Server (10.2).  I am new to Kerberos, so please 
forgive me if I use some of the terminology incorrectly.

  I am using Windows 2000 Server as the KDC, and am successfully 
authenticating to the KDC and getting my krbtgt ticket.  However, I am 
now trying to set up Mac OS X Server to provide ftp/Mail/AFP services 
using Kerberos authentication, but keep getting errors like this on the 
server whenever I attempt to connect from the client to the server:

Sep 17 2002 01:16:18      Major Error (1): Miscellaneous failure
Sep 17 2002 01:16:18      Minor Error (1): No principal in keytab 
matches desired name

My question is this:  does the name of a service, ie ftpd, have to be 
part of the principal name of the service (ie 
ftpd/ at FOO.COM)?  Do I even need a service key in 
krb5.keytab on the server?  My understanding is that Kerberos provides 
assurance that a specific user on a specific host is authorized to 
connect to a specific server.  I believe this means that I would only 
need a key for the host, ie host/ at FOO.COM in the 
krb5.keytab on the server.  However, I continue to receive the error 
messages above.  I can get a primary key from both OS X client and 
Server, using kinit, but cannot connect from client to server (with 
kerberized apps such as Mail, ftp, etc) using kerberos authentication.  
I have a DNS setup correctly so that all reverse lookups return the 
FQDN, and forward lookups return the correct IP.

Any ideas?

Timothy Perfitt

More information about the Kerberos mailing list