How to get Kerberos tickets in sync with OD password changes?

chriswonders
New Contributor

I've traced an issue that's been plaguing us down to a "simple" problem:

Kerberos tickets are not syncing with Open Directory password changes (from System Preferences).

Another way to put this:

Expired/expiring ticket renewal requests are being signed with old keys until the machine is rebooted.

How can I get these back in sync?

A little more info: We see the problem manifest when, after the 10 hour ticket expiration, kcm kicks in and tries (presumably) to renew. It fails due to an incorrect password (key) and subsequently locks the user out after a number of retries. If we kill the kcm service, no issue. If we kdestroy the tickets manually after a password change, no issue.

We're using OS X 10.9 and 10.10 on the clients and 10.10 on the server.

3 REPLIES 3

davidacland
Honored Contributor II

As the base behaviour of the OS can't really be changed that easily, I would probably look to either:

  1. Create a separate password change AppleScript that can add a kdestroy to the end of the password change process, or...
  2. Try KerbMinder in case it helps improve the behaviour, or...
  3. Let the users know about the bug and that a restart will fix it

chriswonders
New Contributor

Thanks David. I was definitely leaning toward #1. The issue we've got it folks have multiple machines so we'd also have to update other machines they've logged into recently so they don't get locked out.

Has anyone else encountered anything like this?

How is everyone else dealing with the password changes? Do you just have Kerberos Credential Caching disabled?

maxbehr
Contributor II

Do you force users to re-authenticate when the screensaver kicks in? Not sure if it is the same in an OD environment, but in Active Directory re-authenticating when the screensaver kicks on renews the tickets. We have the issue when authenticating with a smart card off network, and user connects to the network (VPN or wired in) and the kerberos authentication does not automatically happen. Our users are trained to lock the screen and then re-authenticate to get the tickets.