Kerberos Issues With Podcast Producer / XGrid on Leopard Server
I ran into several difficulties setting up Podcast Producer in Leopard server. I followed the setup instructions in the manual, but when it came to getting Xgrid up and running, I hit a wall.
Here are the problems that I encountered:
“agent could not determine the expected controller service principal”
The Podcast Producer manual says that Kerberos authentication in Xgrid is necessary (page 26)…
However, by following the directions in the manual, I got an Xgrid agent that could not authenticate to the controller. I reported this problem in detail in the Apple Discussion Forums, but nobody replied.
Although it is likely a rare problem, I wasn’t the only one who had it.
I’m happy to report that I discovered what the “expected controller service principal” was, and how to fix it. The expected controller principal is defined in a text file: /private/etc/xgrid/controller/service-principal. Where else would it be? ;-). For me, it was set to “xgrid/hostname@MYREALM.CA”.
To fix the problem, get your real xgrid service principal from your keytab:
$ sudo klist -k | grep xgrid
3 xgrid/leopardserver.netmojo.ca@MYREALM.CA
3 xgrid/leopardserver.netmojo.ca@MYREALM.CA
3 xgrid/leopardserver.netmojo.ca@MYREALM.CA
And replace whatever is in the service-principal file with the correct principal. In the Server Admin application, change to Xgrid -> Settings -> Agent, and put your FQDN (i.e., leopardserver.netmojo.ca) — or whatever the host portion of your xgrid service principal is — in the “Use a Specific Controller” field. Restart Xgrid.
That alone seems to solve both this problem, and the next one.
“xgridagentd: Error returned by gss_init_sec_context … Unspecified GSS failure”
At some point, I switched from the “expected controller service principal” error to this gss_init_sec/Unspecified GSS failure error. There were also some BEEPErrors (620, 600 and oddly 200) thrown in for good measure.
There was also a GSS minor error, “Server not found in Kerberos database”, which suggests that it was looking up the wrong service principal. So updating the /private/etc/xgrid/controller/service-principal file probably fixed this.
However, you might also want to check that there are Kerberos principals for your podcast producer users: pcastadmin, pcastuser, pcastxgrid (as described on page 24 of the Podcast Producer manual). Run:
# kadmin.local
kadmin.local: listprincs *cast*
pcastadmin@MYREALM.CA
pcastuser@MYREALM.CA
pcastxgrid@MYREALM.CA
These should have been added automatically when you created the users, but if they are not there, you can add them in kadmin.local. For example:
kadmin.local: addprinc -randkey pcastuser@MYREALM.CA
“_xgrid._tcp.local”
The automatic configuration of Xgrid via the “Configure Xgrid Service” button in the Xgrid panel of Server Admin.app sets up the controller to advertise its service via Bonjour, aka mDNS, at _xgrid._tcp.local. This results in these intermittent entries in my logs:
2/6/08 4:45:57 PM Unknown[30] Client application bug: DNSServiceResolver(leopardserver\.netmojo\.ca._xgrid._tcp.local.) active for over two minutes. This places considerable burden on the network.
I still haven’t found a way to prevent this. It looks like its wasting resources, but it doesn’t seem to affect the functioning of Xgrid or Podcast Producer.
Tags: Kerberos, Leopard-Server, Podcast Producer, Sysadmin, Xgrid
April 3rd, 2008 at 12:15 am
Hi,
for me this did not solve the problem with “agent could not determine the expected controller service principal”. My xgrid service principal and the one expected are the one and the same. Any ideas?
/jussi
April 3rd, 2008 at 2:30 pm
Did you have to change the/private/etc/xgrid/controller/service-principal file? If so, did you restart Xgrid and the KDC after changing it? Is your actual FQDN equal to the name in that file, and does DNS resolve your IP address (forward and reverse lookups) to that name?
April 4th, 2008 at 12:07 am
Also, try running:
If the FQDN of your kerberos server isn’t in the prefs:ControllerName field, you can set it with:
Yet another place to look for problems is in the plaintext xml file:
I’m interested to know how it goes. Good luck!
August 7th, 2008 at 5:09 am
hello
Interesting postings
I have the folowing:
$ sudo klist -k | grep xgrid
4 xgrid/servername.domain.ro@SERVERNAME.DOMAIN.RO
4 xgrid/servername.domain.ro@SERVERNAME.DOMAIN.RO
4 xgrid/servername.domain.ro@SERVERNAME.DOMAIN.RO
3 xgrid@SERVERNAME.DOMAIN.RO
3 xgrid@SERVERNAME.DOMAIN.RO
3 xgrid@SERVERNAME.DOMAIN.RO
2. $ kadmin.local
Couldn’t open log file /var/log/krb5kdc/kadmin.log: Permission denied
Authenticating as principal adminuser/admin@SERVERNAME.DOMAIN.RO with password.
kadmin.local: Permission denied while initializing kadmin.local interface
August 7th, 2008 at 9:31 am
George, it must be executed with root privileges. Prefix with “sudo”.
August 8th, 2008 at 12:08 am
thank you for the answer, the thing is that I am still not able to start xgrid with kerberos authentication.
Here is the error from kadmin.local any other ideas would be really appreciated:
$ sudo kadmin.local
Password:
Authenticating as principal root/admin@SERVERNAME.DOMAIN.RO with password.
kadmin.local: No such file or directory while initializing kadmin.local interface
August 8th, 2008 at 11:34 am
Looks like you have a general problem with Kerberos - do any kerberized services work? Probably not…
I don’t have time to research the issue, but starting with Google would be good. The first match indicates an issue with kdc.conf and the database name…
August 22nd, 2008 at 3:26 pm
John: I bet that the problem was that your admin user didn’t have a mailbox:
http://cyrusimap.web.cmu.edu/twiki/bin/view/Cyrus/SieveShell
I just came across this while setting up a new mail admin user.