Mac OS X v10.5: "GSSAPI Error: Unspecified GSS failure" when accessing Active Directory resources that use Kerberos
Symptoms
When attempting to access a resource in Active Directory via Kerberos authentication, authentication may not work.
The following may appear in the logs when this happens:
DirectoryService[26]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Requested effective lifetime is negative or too short).
Products Affected
Mac OS X Server, Mac OS X 10.5
Resolution
This indicates that the Kerberos encryption ticket used for the GSS LDAP connection is expired and Mac OS X cannot renew the ticket using the current Kerberos configuration information.
To resolve the issue:
- Open Directory Utility.
- Edit the settings for the Active Directory connector: Under Advanced, deselect "Allow authentication from any domain in forest".
- In the Authentication search path, specifically add each Active Directory domain in which Kerberos authentication-based resources are accessed.
This change will provide explicit configuration information for Kerberos for each domain, because each domain is a separate Kerberos realm in Active Directory.
This document will be updated as more information becomes available.
Rate this article: