10.8 not receiving TGT on login, cannot connect to ExtremeZ-IP afp shares

If you have tried connecting to any NAS or ExtremeZ-IP devices lately, you may be surprised to find that it requires a username and password to connect now (even if it’s kerberized), and you may also receive the following, rather obtuse, error message: The version of the server you are trying to connect to is not supported. Please contact your system administrator to resolve the problem. Um, what?

I’m thinking that Apple’s change from MIT kerberos to Heimdal Kerberos is what’s causing the issue here: When a Mac user logs in, they do not get a TGT from the MS Active Directory*. According to MITs blog, you have to add the ‘default_principal’ line to the authorization file in /etc/pam.d/authorization.

Find the line that starts with

auth optional pam_krb5.so use_first_pass use_kcminit

and edit it to read

auth optional pam_krb5.so use_first_pass use_kcminit default_principal

After adding that, my Macs are consistently getting TGTs on login and authenticating just fine to the EZIP shares.

My second issue comes in with laptop users who may or may not be connected to the network when they log in. They won’t get a TGT regardless of what settings I have in /etc/pam.d/authorization, so I need to make sure that they can still get to those EZIP shares even without a TGT since this method had worked just fine in 10.6. The problem there is yet again, apple has unilaterally declared some authentication protocols as “insecure,” and so has disabled them. Thanks Apple.

It seems that EZIP relies on the DHCAST128 auth protocol, so you have to reenable that in /Library/Preferences/com.apple.AppleShareClient.plist file:

sudo defaults write /Library/Preferences/com.apple.AppleShareClient afp_disabled_uams -array "Cleartxt Passwrd" "MS2.0" "2-Way Randnum exchange"

Allegedly this change is made unnecessary by EZIP v8.01 or higher, but I have not been able to verify that. See here for the full Apple KB detailing the necessary changes: http://support.apple.com/kb/HT4700

After making the changes, restart the Mac. afp shares advertised by EZIP servers will now use the valid kerberos TGT generated on network login, or default to username/password auth in the case of a non-network login.  Note that Ticket Viewer sucks, and will not always show you a valid TGT or anything else for that matter. To be SURE you have a TGT and any other service tickets, use klist. I would suggest learning the ins and outs of kdestroy and kinit also.

Go Go gadget Apple!

*Only seems to affect computers upgraded from 10.6. I have not seen Macs with fresh OS X 10.8 images exhibiting the kerberos TGT behavior.


About this entry