CCacheServer context and unknown error code 19777
CCacheServer context and unknown error code 19777
- Subject: CCacheServer context and unknown error code 19777
- From: Mike Tegtmeyer <email@hidden>
- Date: Tue, 30 Sep 2008 16:53:14 -0400 (EDT)
Hello,
I am not sure this is the list most appropriate for this question but
previous threads on this list suggest some relevance:
http://lists.apple.com/archives/darwin-kernel/2008/Feb/msg00003.html
http://lists.apple.com/archives/darwin-kernel/2008/Feb/msg00004.html
http://lists.apple.com/archives/darwin-kernel/2008/Feb/msg00005.html
http://lists.apple.com/archives/darwin-kernel/2008/Feb/msg00010.html
I am trying to be clear with the setup and what I've done so please bear
with me;)
I have 3 current stock leopard machines (1 servers + 1 bound client + 1
unbound client) with the server configured as an OpenDirectory Master. The
gist is that I am unable to get kerberos to correctly work with a network
user to be able to ssh into either machine. The login into the machine
works fine but issuing a klist or a kinit yields the message: "Operation
not permitted while initializing Kerberos 5". System logs seem fine so I
enable GSSAPI and Kerberos in /etc/sshd. No luck. I also know about the
builtin:krb5authnoverify,privileged trick for system.login.console in
/etc/authorizations but still nothing. Knowing that ssh is authorizing as
tty and poking googling around I try adding builtin:krb5login,privileged
to system.login.tty in /etc/authorizations and try again:
Sep 30 16:20:56 clutch authorizationhost[11370]:
k5_store_ticket_in_cache(): got -1765328188 (Internal credentials cache
error) on plugins/krb5/krb5_operations.c:83
Sep 30 16:20:56 clutch com.apple.SecurityServer[36]: Succeeded authorizing
right system.login.tty by client /usr/sbin/sshd for authorization created
by /usr/sbin/sshd.
Sep 30 16:20:56 clutch sshd[11360]: Accepted keyboard-interactive/pam for
tegtmeye from 128.63.24.155 port 53238 ssh2
Thinking that it is a CCacheServer problem, I reset system.login.tty back
to the system supplied settings but noticed that when logging into a
machine at the loginwindow I often see the message in the logs about
setting the correct context for the user logging in did not see such a
message on the server when sshing in:
Sep 23 16:07:44 clutch SecurityAgent[3548]: User info context values set
Reading http://developer.apple.com/technotes/tn2005/tn2083.html I wondered
if the correct context was being set.
I tried the only other thing that I knew of that would easily tell me if I
was actually logging in as who I thought I was logging in as; I set the
network user to have a kerberized nfs mounted home directory. Trying this
I get this in system log:
Sep 30 16:25:22 clutch gssd[11615]: Error returned by
svc_mach_gss_init_sec_context:
Sep 30 16:25:22 clutch gssd[11615]: Major error <1> Unspecified GSS
failure. Minor code may provide more information
Sep 30 16:25:22 clutch gssd[11615]: Minor error <1> Unknown Error
Code: 19777
Sep 30 16:25:22 clutch gssd[11615]: nfs client Kerberos:
pawl.arl.army.mil:/Users, uid=0 - Unknown Error Code: 19777
Googling "Unknown Error Code: 19777" points me to the Feb. thread in this
list.
At this point I am suspicious that sshd via launchd is not setting the
correct context on network user login (but why just network users??) which
causes things to fall apart. Most notably CCacheServer not to get set
correctly for the logged in user and the fact that nfs thinks that root is
the one logging in.
Not having network users being able to ssh with kerberized sso is kind of
a show stopper for us so any help would be greatly appreciated.
Thanks in advance,
Mike Tegtmeyer
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden