[24324] in Kerberos
Re: OS X 10.4.2 kdestroy problem
daemon@ATHENA.MIT.EDU (Alexandra Ellwood)
Wed Jul 20 13:52:22 2005
In-Reply-To: <80A84CB5E834D4439556D1F64A1FEB83010669A1@ES20SNLNT.srn.sandia.gov>
Mime-Version: 1.0 (Apple Message framework v733)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <826E491C-6346-4115-92B4-A9B4FDF670F7@mit.edu>
Content-Transfer-Encoding: 7bit
From: Alexandra Ellwood <lxs@mit.edu>
Date: Wed, 20 Jul 2005 13:50:41 -0400
To: "Wachdorf, Daniel R" <drwachd@sandia.gov>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
The problem here is that the Mach-IPC based CCacheServer (which
stores your tickets) gets registered as root by launchd. There is
special code in the login process which tells the first instantiation
of the CCacheServer to run as the user. However when you destroy
your tickets and get new ones, launchd launches the second
CCacheServer (and all future ones) as root and thus you don't have
access to your ticket cache.
Apple is aware of this problem and is working with MIT to resolve
it. Unfortunately there is currently no workaround other than to not
enable Kerberos at login.
On Jul 19, 2005, at 1:24 PM, Wachdorf, Daniel R wrote:
> Has anyone run into this?
>
> We have edited /etc/authorization and set
> builtin:krb5authenticate,privileged in place of authinternal for
> system.login.console. This allows us to log into the system with a
> valid Kerberos password.
>
> However, in 10.4.2 when we run kdestroy, kinit will no longer work:
>
> drwmac:~ drwachd$ /usr/bin/klist
> Kerberos 5 ticket cache: 'API:Initial default ccache'
> Default principal: drwachd@dce.sandia.gov
>
> Valid Starting Expires Service Principal
> 07/19/05 11:20:43 07/19/05 21:20:42
> krbtgt/dce.sandia.gov@dce.sandia.gov
> renew until 08/02/05 11:20:42
>
> klist: No Kerberos 4 tickets in credentials cache
> drwmac:~ drwachd$ /usr/bin/kdestroy
> drwmac:~ drwachd$ /usr/bin/kinit
> Please enter the password for drwachd@dce.sandia.gov:
> Kerberos Login Failed: Credentials cache server unavailable
> drwmac:~ drwachd$
>
> If we login with a local (not Kerberos) password, type kinit then
> kdestroy, then kinit - it works fine.
>
> Any ideas as to the problem?
>
> -dan
> --------------------------------------
> Daniel Wachdorf
> drwachd@sandia.gov
> Sandia National Laboratories
> Cyber Security Technologies
> 505-284-8060
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--lxs
Alexandra Ellwood <lxs@mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
