OS X 10.4.2 kdestroy problem

Alexandra Ellwood lxs at MIT.EDU
Wed Jul 20 13:50:41 EDT 2005 

The problem here is that the Mach-IPC based CCacheServer (which  
stores your tickets) gets registered as root by launchd.  There is  
special code in the login process which tells the first instantiation  
of the CCacheServer to run as the user.  However when you destroy  
your tickets and get new ones, launchd launches the second  
CCacheServer (and all future ones) as root and thus you don't have  
access to your ticket cache.

Apple is aware of this problem and is working with MIT to resolve  
it.  Unfortunately there is currently no workaround other than to not  
enable Kerberos at login.


On Jul 19, 2005, at 1:24 PM, Wachdorf, Daniel R wrote:

> Has anyone run into this?
>
> We have edited /etc/authorization and set
> builtin:krb5authenticate,privileged in place of authinternal for
> system.login.console.   This allows us to log into the system with a
> valid Kerberos password.
>
> However, in 10.4.2 when we run kdestroy, kinit will no longer work:
>
> drwmac:~ drwachd$ /usr/bin/klist
> Kerberos 5 ticket cache: 'API:Initial default ccache'
> Default principal: drwachd at dce.sandia.gov
>
> Valid Starting     Expires            Service Principal
> 07/19/05 11:20:43  07/19/05 21:20:42
> krbtgt/dce.sandia.gov at dce.sandia.gov
>         renew until 08/02/05 11:20:42
>
> klist: No Kerberos 4 tickets in credentials cache
> drwmac:~ drwachd$ /usr/bin/kdestroy
> drwmac:~ drwachd$ /usr/bin/kinit
> Please enter the password for drwachd at dce.sandia.gov:
> Kerberos Login Failed: Credentials cache server unavailable
> drwmac:~ drwachd$
>
> If we login with a local (not Kerberos) password, type kinit then
> kdestroy, then kinit - it works fine.
>
> Any ideas as to the problem?
>
> -dan
> --------------------------------------
> Daniel Wachdorf
> drwachd at sandia.gov
> Sandia National Laboratories
> Cyber Security Technologies
> 505-284-8060
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

--lxs

Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>

More information about the Kerberos mailing list