# HELP:  Tried everything, can't get Kerberos to work

## theosib

I'm trying to set up Netatalk to use Kerberos authentication directly.  I used to have it use PAM, but either Netatalk or PAM is buggy, because apparently, I'm not the only person having intermittent authentication problems with Netatalk (e.g. http://ubuntuforums.org/showthread.php?p=10607637#post10607637).  

So, I started trying to use this guide to set up Kerberos:

http://en.gentoo-wiki.com/wiki/Kerberos_Authentication

When that didn't work, I found this:

http://deepport.net/archives/setting-up-a-linux-server-for-os-x-clients/#kerberos

and set up just the Kerberos and Netatalk parts.  That didn't work either.

Then someone kindly gave me these instructions:

http://www.osnews.com/permalink?468106

But those don't work either.  No matter what I do, I can't authenticate at all.  I'm told that the name and/or password is invalid.  

I'm usually not this thick.  I have followed instructions faithfully.  Now, it may be that I've left something broken from some other steps, because probably one of those guides is just wrong, or I screwed up.  But I have no idea where to begin.

Can someone please help?

Thanks!

----------

## theosib

Can anyone perhaps suggest some diagnostics so we can tell what is and what is not working?  Tests?

----------

## MassimoM

[PREMISE] I don't know anything about Netatalk or any other Apple-related technology, but I've set up a working kerberos system for authenticating WinXP and Ubuntu clients at logon, and accessing Samba servers, NFS servers and Squid proxy "passwordless" with kerberos tickets[/PREMISE]

You can attach all of the logs that you have about the KDC and server daemon and client program.

Set them to log verbosely.

That's the minimum required to try to understand the problem.

----------

## theosib

I've googled around to find out how to enable logging, but the commands I find seem to refer to executables that don't exist.  Hint, please?

Thanks.

----------

## MassimoM

in "man krb5.conf" there's a section about logging.

Lines of log from KDC are very important, from kadmin server are somewhat less important (it's "only" used to create user accounts / change passwords remotely).

Default logging refers to logs from processes that are using kerberos as client or kerberized service provider, so it's important.

----------

## theosib

I've decided that this just isn't worth my time to fool with.  If it's going to be this hard, my time is better spent elsewhere.

It WOULD be worth my time if this were suitable for Time Machine backups, but since Netatalk doesn't support Replay Cache functionality, then putting a Mac to sleep during a backup causes the Mac to lock up.  This is a MacOS bug, of course, but Time Machine is the main reason anyone would want to use Netatalk anyhow.  

So, between the lockups and the fact that Netatalk doesn't get along with PAM properly, I think I'm just going to put it aside and come back in a few years when these problems are fixed.

Anyhow, thanks for the help.

----------

## MassimoM

If you were simply trying to backup your Mac to your unix box at your home, I think that you weren't on the right road. Kerberos is a complex system, worth efforts for a reasonabily sized network. There's surely some other simpler password-based authentication schemes available.

Maybe using NFS?

Or if you want to pre-allocate some space for Time Machine you can consider to export a block device, with iSCSI or with ATA over Ethernet (really easy to setup! but no authentication). (hypotesis created without MacOS knowledge, except that it is Unix-based)

----------

