Re: OS X 10.4.2 kdestroy problem

Wed, 20 Jul 2005 10:54:12 -0700
The problem here is that the Mach-IPC based CCacheServer (which stores your tickets) gets registered as root by launchd. There is special code in the login process which tells the first instantiation of the CCacheServer to run as the user. However when you destroy your tickets and get new ones, launchd launches the second CCacheServer (and all future ones) as root and thus you don't have access to your ticket cache. 


Apple is aware of this problem and is working with MIT to resolve  
it.  Unfortunately there is currently no workaround other than to not  
enable Kerberos at login.



On Jul 19, 2005, at 1:24 PM, Wachdorf, Daniel R wrote:


Has anyone run into this?

We have edited /etc/authorization and set
builtin:krb5authenticate,privileged in place of authinternal for
system.login.console.   This allows us to log into the system with a
valid Kerberos password.

However, in 10.4.2 when we run kdestroy, kinit will no longer work:

drwmac:~ drwachd$ /usr/bin/klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: [EMAIL PROTECTED]

Valid Starting     Expires            Service Principal
07/19/05 11:20:43  07/19/05 21:20:42
krbtgt/[EMAIL PROTECTED]
        renew until 08/02/05 11:20:42

klist: No Kerberos 4 tickets in credentials cache
drwmac:~ drwachd$ /usr/bin/kdestroy
drwmac:~ drwachd$ /usr/bin/kinit
Please enter the password for [EMAIL PROTECTED]:
Kerberos Login Failed: Credentials cache server unavailable
drwmac:~ drwachd$

If we login with a local (not Kerberos) password, type kinit then
kdestroy, then kinit - it works fine.

Any ideas as to the problem?

-dan
--------------------------------------
Daniel Wachdorf
[EMAIL PROTECTED]
Sandia National Laboratories
Cyber Security Technologies
505-284-8060

________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos



--lxs

Alexandra Ellwood <[EMAIL PROTECTED]>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>


________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos














    











					Reply via email to