Kerb v4 for MacOS X

Alexandra Ellwood lxs at MIT.EDU
Tue Feb 5 14:57:00 EST 2002

>  I'm not sure if we're doing "pre-authentication" as I don't know
>what that means; however, if the clock is off by 1 hr (or I also
>tried 9 hours) I do get a "Service Expired" message by both Kerberos
>for Mac OS 8.6 and Mac OS X 10.1.2. And I do have 4.0b7 on both
>OS versions.
>If it helps, I've attached our Kerberos preferences file.

ANDREW.CMU.EDU appears to be running a kaserver, which is a special 
type of Kerberos 4 KDC shipped by Transarc for use with AFS.  I 
believe this type of server can return KDC_SERVICE_EXP (Service 
expired) instead of RD_AP_TIME (Clock skew too great) in 
time-out-of-bounds conditions.

While getting an initial ticket, receiving KDC_SERVICE_EXP can only 
mean two things: the server is a kaserver and the real error is 
RD_AP_TIME *or* the krbtgt service principal is expired.  Since the 
latter error is unlikely (and will cause immediate serious problems 
for all Kerberos clients), we will consider working around this 

However, we will need to verify that this change will not result in 
bad error reporting for other v4 KDC implementations (I can think of 
at least four).  As a result, I would not expect this change for KfM 

Also, I suspect that you have the wrong string_to_key_type in your 
preferences file.  If you are using a kaserver, you probably want a 
"afs_string_to_key" rather than "mit_string_to_key".  These two types 
behave the same for passwords of 8 characters or less, so you may not 
be able to tell that you have the wrong one until you change your 
password to something longer than 8 chars.

Hope this helps,

Alexandra Ellwood                                               <lxs at>
MIT Information Systems                     

More information about the krbdev mailing list