Mac OS X Server v10.5: iChat Kerberos authentication does not work after upgrading from Mac OS X Server v10.4
Mac OS X Server 10.5, iChat
After upgrading from Mac OS X Server v10.4 to Mac OS X Server v10.5, iChat users may no longer be able to use Kerberos authentication to the iChat service.
Mac OS X Server v10.4 uses a Kerberos service principal for iChat in uppercase format: "XMPP/<hostname>@<REALM>". Mac OS X Server v10.5 and later uses a Kerberos service principal for iChat in lowercase format: "xmpp/<hostname>@<REALM>". During the upgrade to Mac OS X Server v10.5, the lowercase service principal is not created. Administrators should re-kerberize their Mac OS X Server v10.5 server after upgrading as follows.
On the iChat server, execute the following commands in Terminal. Review all instructions before you begin.
- Establish root access with this command (you will be prompted for your administrator account password):
- Create the xmpp service principal with this command (you will be prompted for your administrator account password):
sso_util configure -r REALM.EXAMPLE.COM -f /directory/node -a admin xmpp
- "REALM.EXAMPLE.COM" is the name of your Kerberos realm in all capital letters (if using Active Directory, the fully qualified domain name of the AD domain where the iChat server's computer account is stored, in all capital letters).
- admin is the name of the administrator account used for the directory service.
- If using Open Directory, "/directory/node" is either "/LDAPv3/127.0.0.1" if the iChat server is also the Open Directory master, or the "/LDAPv3/hostname" where hostname is the fully qualified hostname of the of the Open Directory master (as configured in Directory Utility).
- If using Active Directory, replace "/directory/node" with "/Active\ Directory/domain" where domain is the fully qualified domain name of the Active Directory domain containing the computer account of the iChat server. Note the escaped space between Active and Directory in the above reference.
- Restart the server to enable the new service principal.
The following text may appear in the system log files on affected client computers:
iChatAgent: [SASL] Level 2: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
iChatAgent: [SASL] Level 2: No worthy mechs found
iChatAgent: WARNING: SASL could not start negotiation: -4
iChatAgent: WARNING: JConnection: Error: The host your.server.fqdn does not support Kerberos authentication., type=4, code=21