site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Hello, http://lists.apple.com/archives/darwin-kernel/2008/Feb/msg00003.html http://lists.apple.com/archives/darwin-kernel/2008/Feb/msg00004.html http://lists.apple.com/archives/darwin-kernel/2008/Feb/msg00005.html http://lists.apple.com/archives/darwin-kernel/2008/Feb/msg00010.html Sep 23 16:07:44 clutch SecurityAgent[3548]: User info context values set Thanks in advance, Mike Tegtmeyer _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... I am not sure this is the list most appropriate for this question but previous threads on this list suggest some relevance: I am trying to be clear with the setup and what I've done so please bear with me;) I have 3 current stock leopard machines (1 servers + 1 bound client + 1 unbound client) with the server configured as an OpenDirectory Master. The gist is that I am unable to get kerberos to correctly work with a network user to be able to ssh into either machine. The login into the machine works fine but issuing a klist or a kinit yields the message: "Operation not permitted while initializing Kerberos 5". System logs seem fine so I enable GSSAPI and Kerberos in /etc/sshd. No luck. I also know about the builtin:krb5authnoverify,privileged trick for system.login.console in /etc/authorizations but still nothing. Knowing that ssh is authorizing as tty and poking googling around I try adding builtin:krb5login,privileged to system.login.tty in /etc/authorizations and try again: Sep 30 16:20:56 clutch authorizationhost[11370]: k5_store_ticket_in_cache(): got -1765328188 (Internal credentials cache error) on plugins/krb5/krb5_operations.c:83 Sep 30 16:20:56 clutch com.apple.SecurityServer[36]: Succeeded authorizing right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd. Sep 30 16:20:56 clutch sshd[11360]: Accepted keyboard-interactive/pam for tegtmeye from 128.63.24.155 port 53238 ssh2 Thinking that it is a CCacheServer problem, I reset system.login.tty back to the system supplied settings but noticed that when logging into a machine at the loginwindow I often see the message in the logs about setting the correct context for the user logging in did not see such a message on the server when sshing in: Reading http://developer.apple.com/technotes/tn2005/tn2083.html I wondered if the correct context was being set. I tried the only other thing that I knew of that would easily tell me if I was actually logging in as who I thought I was logging in as; I set the network user to have a kerberized nfs mounted home directory. Trying this I get this in system log: Sep 30 16:25:22 clutch gssd[11615]: Error returned by svc_mach_gss_init_sec_context: Sep 30 16:25:22 clutch gssd[11615]: Major error <1> Unspecified GSS failure. Minor code may provide more information Sep 30 16:25:22 clutch gssd[11615]: Minor error <1> Unknown Error Code: 19777 Sep 30 16:25:22 clutch gssd[11615]: nfs client Kerberos: pawl.arl.army.mil:/Users, uid=0 - Unknown Error Code: 19777 Googling "Unknown Error Code: 19777" points me to the Feb. thread in this list. At this point I am suspicious that sshd via launchd is not setting the correct context on network user login (but why just network users??) which causes things to fall apart. Most notably CCacheServer not to get set correctly for the logged in user and the fact that nfs thinks that root is the one logging in. Not having network users being able to ssh with kerberized sso is kind of a show stopper for us so any help would be greatly appreciated. This email sent to site_archiver@lists.apple.com