Mac OS X v10.5: "GSSAPI Error: Unspecified GSS failure" when accessing Active Directory resources that use Kerberos

Products Affected

Mac OS X 10.5, Mac OS X Server

Symptoms

When attempting to access a resource in Active Directory via Kerberos authentication, authentication may not work.

The following may appear in the logs when this happens:

DirectoryService[26]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Requested effective lifetime is negative or too short).

Resolution

This indicates that the Kerberos encryption ticket used for the GSS LDAP connection is expired and Mac OS X cannot renew the ticket using the current Kerberos configuration information.

To resolve the issue:

  1. Open Directory Utility.
  2. Edit the settings for the Active Directory connector: Under Advanced, deselect "Allow authentication from any domain in forest".
  3. In the Authentication search path, specifically add each Active Directory domain in which Kerberos authentication-based resources are accessed.

This change will provide explicit configuration information for Kerberos for each domain, because each domain is a separate Kerberos realm in Active Directory.

This document will be updated as more information becomes available.
Not helpful Somewhat helpful Helpful Very helpful Solved my problem