Adding Kerberos Service Principals in OSX Server for 10.10?

Privacy & Security General
Eric @ Harmonic
Eric @ Harmonic OP
Created Sep ’15
Replies 3
Boosts 0
Views 717
Participants 3

Does anybody know how to add a service principal to Kerberos on Server for OSX 10.10 and have it work? We're trying to use Kerberos to authenticate users of our service where the user accounts are stored in OD on Server for OSX 10.10.


On the OD server machine we create the service principal using the usual Kerberos commands we seem to be able to create the principal. However, when an authenticated user requests a ticket for the service, it is reported as "expired". My guess is that there is some additional step that is required to "bless" a service ticket in an OD KDC. Or not.


In full disclosure and to explain the examples, we're trying to use Kerberos authentication as a means of integrating a Samba-based CIFS bridge with OD. Our product, MediaGrid, is a scalable shared storage system which includes an OSX (and Windows & Linux) network filesystem driver and which has supported OD, AD, and OpenLdap. However we've removed Samba and Linux from the picture completely and are so far unable to get OSX 10.10 Server to give out a valid service ticket to a second OSX 10.10 Mac.


We are able to add a service principal using kadmin (we've also tried with expiration times in 2016):

bash-3.2# kadmin -l
kadmin> add --random-key
kadmin>cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
Policy [default]:


After authenticating ourself on another OSX system we attempt to get a ticket for this service:

sh-3.2# kgetcred cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL
kgetcred: krb5_get_creds: Server (cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL) expired


The ticket is expired and unusable.


Looking at the OS X Server 10.10.1 Server logs, we see:

Sep 8 14:43:33 apples-Mac-mini.local kdc[68]: Server expired at 2015-09-08T14:42:33 – cifs/eng-hbcb2.snv-eng.local@APPLES-MAC-MINI.LOCAL


This is reproducible. It gives expiration time of one minute before current time of request for ticket. Each time we do this the expired time will change to a minute prior. It looks like we need some additional setup.


Anybody know how to do this?

Replies  3
Boosts  0
Views  717
Participants  3
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Sep ’15

I think you might have more luck asking your question in the Apple Support Communities, run by AppleCare; they have a topic area dedicated to OS X Server, and you’re more likely to find folks with Kerberos configuration expertise there than here in the more developer-oriented DevForums.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Eric @ Harmonic
Eric @ Harmonic OP
Sep ’15

Thanks for the suggestion and links. I've given it a shot.

0
earsh
earsh OP
Mar ’16

Thanks Quinn. Just a follow-up that Eric and I did get this to work by using "kservicesetup -x -r <realmname> cifs cifs/<fullyQualifiedMachineName>" instead of kadmin. It's a wrapper around kadmin.local and must have been doing a piece we missed with kadmin.

0
Adding Kerberos Service Principals in OSX Server for 10.10?
First post date Last post date
 
 
Q