pmbuko / kerbminder Goto Github PK

Mac bound to emea.akqa.local domain. User account is a local account.

When attempting to run KerbMinder.py it states the domain is not accessible.

Running the dig command manually will resolve the domain correctly.

LON04082:~ jonny.ford$ /Library/Application\ Support/crankd/KerbMinder.py
Kerberos Principal is jonny.ford@LKDC:SHA1.EA
Domain not accessible. Exiting.
LON04082:~ jonny.ford$ dig -to srv_ldap._tcp emea.akqa.local
;; Warning, ignoring invalid type o

; <<>> DiG 9.8.3-P1 <<>> -to srv_ldap._tcp emea.akqa.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64980
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

https://gist.github.com/pudquick/f27efd1ddcbf57be0d14031a5e692015

Testing this out I am having an issue where there is no "wrong password" message displayed when a wrong password is input into the password box. It looks like I can put in the wrong password multiple times without any warning and to the user it looks like it was successful. This happens with both a bound to AD account and one that is not on the domain. Looking at the console logs it shows:

Ticket is not present
Initiating Ticket with password
Ticket initiation OK

It works fine when I type in the correct password. Testing this on a 10.11.5 Mac.

Hoping to find a solution as I would love to use this! Thanks.

For users that need a standard AD account and a Service Account -- or Privileged Account (eg. ftiff & sa-ftiff)

Hi Folks,

I'm not 100% sure of this one, but let's keep an eye on it.

My tickets were expired this morning:

$ klist
Credentials cache: API:D8C1FDC5-CB12-4EC3-DDBC-CF8B9DD4CDD6
        Principal: [email protected]

  Issued                Expires        Principal
Nov 23 13:38:26 2015  >>>Expired<<<  krbtgt/[email protected]
Nov 23 13:45:09 2015  >>>Expired<<<  cifs/[email protected]
$

And KerbMinder didn't know how to renew them:

24.11.15 11:01:32.274 KerbMinder.py[10926]: Computer is not bound.
24.11.15 11:01:32.293 KerbMinder.py[10926]: Found principal from cache: [email protected]
24.11.15 11:01:32.498 KerbMinder.py[10926]: Domain is accessible.
24.11.15 11:01:32.608 KerbMinder.py[10926]: Ticket is present.
24.11.15 11:01:32.608 KerbMinder.py[10926]: Refreshing Ticket…
24.11.15 11:01:33.080 KerbMinder.py[10926]: Can't refresh ticket.
24.11.15 11:01:33.080 KerbMinder.py[10926]: Error: Command '['kinit', '--renew']' returned non-zero exit status 1

Unfortunately my manager was behind my shoulders so I preferred to kdestroy;kinit instead of debugging this.

Seems there may be an issue with KerbMinder in Sierra. Seeing this in the logs...

Sep 22 08:03:44 MC02PX0NHGFWL com.apple.xpc.launchd1: Service exited with abnormal code: 2
Sep 22 08:04:14 MC02PX0NHGFWL com.apple.xpc.launchd1: Service only ran for 30 seconds. Pushing respawn out by 15 seconds.
Sep 22 08:04:29 MC02PX0NHGFWL com.apple.xpc.launchd1: Service exited with abnormal code: 2
Sep 22 08:54:07 MC02PX0NHGFWL com.apple.xpc.launchd1: Service only ran for 11 seconds. Pushing respawn out by 34 secon

Can we get a fix? I am willing to pay for it if we can get it quickly.

Just upgraded to Sierra to try Kerbminder and when I try to run it manually from terminal on a bound Mac I am seeing the following error.

$ sudo python Kerbminder.py
Can't find Principal from AD: 'NoneType' object has no attribute 'group'. Exiting.

I'll continue to do some more testing, but not sure if this is a Sierra issue or not. Works fine on 10.10 & 10.11.