Kerb v4 for MacOS X
Alexandra Ellwood
lxs at MIT.EDU
Tue Feb 5 14:57:00 EST 2002
>Hi,
>
> I'm not sure if we're doing "pre-authentication" as I don't know
>what that means; however, if the clock is off by 1 hr (or I also
>tried 9 hours) I do get a "Service Expired" message by both Kerberos
>for Mac OS 8.6 and Mac OS X 10.1.2. And I do have 4.0b7 on both
>OS versions.
>
>If it helps, I've attached our Kerberos preferences file.
ANDREW.CMU.EDU appears to be running a kaserver, which is a special
type of Kerberos 4 KDC shipped by Transarc for use with AFS. I
believe this type of server can return KDC_SERVICE_EXP (Service
expired) instead of RD_AP_TIME (Clock skew too great) in
time-out-of-bounds conditions.
While getting an initial ticket, receiving KDC_SERVICE_EXP can only
mean two things: the server is a kaserver and the real error is
RD_AP_TIME *or* the krbtgt service principal is expired. Since the
latter error is unlikely (and will cause immediate serious problems
for all Kerberos clients), we will consider working around this
problem.
However, we will need to verify that this change will not result in
bad error reporting for other v4 KDC implementations (I can think of
at least four). As a result, I would not expect this change for KfM
4.0.
Also, I suspect that you have the wrong string_to_key_type in your
preferences file. If you are using a kaserver, you probably want a
"afs_string_to_key" rather than "mit_string_to_key". These two types
behave the same for passwords of 8 characters or less, so you may not
be able to tell that you have the wrong one until you change your
password to something longer than 8 chars.
Hope this helps,
--lxs
--
-----------------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
MIT Information Systems http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--
More information about the krbdev
mailing list