Kerberos authentication problem on MacOS X

Love lha at stacken.kth.se
Thu Apr 12 20:05:26 CEST 2001 

"Samuel L. Bayer" <sam at linus.mitre.org> writes:

> sam% /usr/arla/bin/klog
> Unable to find service afs3-prserver/udp, using port 7002
> sam at rcf.mitre.org's Password:
> kerberos-iv/udp unknown service, using default port 750
> /usr/arla/bin/klog: Unable to authenticate to Kerberos: Can't send request (send_to_kdc)
> 
> I get the same message when I use the kinit command which comes with
> MacOS X:
> 
> sam% kinit -4 sam at rcf.mitre.org
> Password for sam at rcf.mitre.org: 
> kinit(v4): Can't send request (send_to_kdc)

MIT/Apple kinit that you get with will not store tokens in kernel for you,
you'll then need to run kth-krb afslog, or arla's aklog.
 
> I've found a number of potential reasons for this error on the Web,
> none of which are my problem:
> 
> - no appropriate entries in /etc/services (the defaults seem to be the
>   right defaults, and our AFS and Kerberos servers are using the same
>   defaults)
> - unsynchronized system clock (synchronized the clock, still broken)
> - network connectivity problems (I can telnet to hosts on the same
>   subnet as the AFS server server; I can't log
>   in to the AFS server directly because login is disabled for
>   nonsysadmins) 
> 
> I know that the Kerberos client is finding the server, because when I
> feed it a bad cell name, it reports that it can't find a server for
> that cell. 

You need to have a /etc/krb.conf file if you want to use arla's klog or
kth-krb kinit/kauth/afslog.

cat > /etc/krb.conf <<END
RCF.MITRE.ORG
RCF.MITRE.ORG kerberos-server1.rcf.mitre.org admin server
RCF.MITRE.ORG kerberos-server2.rcf.mitre.org
RCF.MITRE.ORG kerberos-server3.rcf.mitre.org
END

Ask you sysadmins to add alias for kerberos.rcf.mitre.org,
kerberos1.rcf.mitre.org, kerberos2.rcf.mitre.org, ... for the real kerberos
servers, then it should just work w/o editing the krb.conf file.

Another alternative is to use arla's kalog that talks to the ka-servers
directly.

Love, who thinks there are too many diffrents the authenication methods.

More information about the Arla-drinkers mailing list