Destroy Kerberos Ticket

Since we deployed Leopard to the computers labs at work, I’ve been running in to this annoying problem involving Kerberos. I hadn’t spent any time trying to figure out how to circumvent it until now because it really only affects administrators. We can deal with our own problems right?

When a user logs in, they authenticate to our server using their account username (use Alice for this example). At this point they are given a Kerberos ticket. From then on, in Leopard, whenever the user attempts to connect to an AFP share on the server, Leopard assumes that they are connecting as the same user, Alice. Because the Kerberos ticket is still valid, the user is automatically authenticated as Alice. Of course, this makes perfect sense. That’s the whole point of Kerberos: single sign-on.

The problem resides in the assumption that the user wants to connect as the same user every time. What if Alice is actually an admin who needs to log on to a share using different credentials? Here’s an example: I’m testing a student account, with normal student privileges. During the course of my testing, I need to access a document from our administrative share point. Now, obviously the student account does not have access to the administrative share point. I would need to log in to the share using a user with permissions to access the administrative share point.

Unfortunately, Leopard will not even ask me what user account I want to use because I already have a valid Kerberos ticket for the student account. Fortunately, after finally getting fed up with this problem, a quick bit of googling solved it.

All that needs to be done is to destroy the Kerberos ticket. Simply open Keychain Access and select Kerberos Ticket Viewer from the Keychain Access menu. Select your Kerberos ticket from the window and click the destroy button. This doesn’t actually harm anything, it simply makes your Kerberos ticket expire. The next time you try and connect to the server, you will be asked to authenticate again; at which point you can authenticate as a different user.

Alternately, you could also create a new Kerberos ticket using a separate username to the same server. The before authenticating to a share, you would simply change the active user. Unfortunately it seems as though you can only access one at a time. For example, I could not mount two different user’s home directories at the same time. I would have to activate a user, mount their home directory, eject it, activate the second user, and then mount their home directory. Hmm, as you can probably see, there doesn’t really seem to be a reason why this would be useful. Probably simply destroying the ticket is the best bet.

For more information on this, check out the Mac OS X 10.5: About Kerberos in Mac OS X 10.5 clients knowledge base article from Apple.

Leopard Server Quickstart Guide

Corey Carson was written a fantastic quickstart guide for Leopard Server.

This updated quickstart guide is very similar to the Tiger Server Quickstart Guide posted in 2005. It’s primary purpose is to get you up and running quickly, overcoming common hurdles such as DNS and binding confusions. With the move to launchd over cron, those steps are now included as well.

You can grab the pdf at AFP548.com.

The article includes some particularly good instructions on using and setting up rsync, launchd, and Network Home Redirector.

Via Infinity’s End.

Unresponsive Server in ARD

For the past several weeks at work I’ve been gradually working on upgrading our OS X server from Leopard to Tiger. The process has certainly not been without hiccups, but it has gone smoothly for the most part.

After an initial false start attempting to simply upgrade the server, I ended up simply installing the Leopard server from a blank disk. This seemed to take care of most of the really strange things that were happening after the upgrade.

This particular server is of the headless XServe variety, so we primarily use Apple Remote Desktop to access it in addition to the Server Admin Tools and SSH. Since installing Leopard on the server however, I’ve been noticing that at times it is acting erratically. Usually I’ll first notice that the server will either stop showing up in ARD or it show up as black, indicating that there is no ARD agent on the computer. I’ve tried restarting the computer, which will fix it, but that’s not a very good solution for obvious reasons.

I had also noticed while using Server Admin that sometimes the server CPU is running at completely full capacity, like in this screenshot:

OS X Server CPU gone crazy

The other day the server stopped responding in ARD again. As usual though, I was still able to access it through both Server Admin and SSH. After a little research, I found this useful page of commands, which includes this one-liner:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -restart -agent -menu

Running this command restarts the ARD Agent, which is what we want if it is frozen. Once I did this things got a little better, and the server came up in ARD as active. I tried controlling the server through ARD, but no dice, still no connection.

At this point I noticed that there was a user logged on to the server and I remembered that I had also been having problems with VNCDragHelper freezing. I found this on an Apple discussion page:

When remotely managing an XServe with OS 10.5.1 from a 10.4.11 client with ARD 3.2, several times (3 up till now) the server UI becomes unresponsive, at least finder. This even gets worse when trying to start the Application Monitor, then also the Dock freezes, and the Application Monitor UI never opens. When doing an ssh> sudo top, it shows that both “Application Monitor” and “VNCDragHelper” do consume almost 100% CPU. Luckily only on a Single core, but that keeps two cores (one processor 100% busy). killall “Activity Monitor” brings the activity monitor down, when sending it with Remote Desktop Unix command.

Perfect, that must be it. In SSH, I ran the following command:

sudo killall -9 VNCDragHelper

I also killed the loginwindow because that appeared to be frozen as well (judging from the top command that I ran):

sudo killall -9 loginwindow

Suddenly after running both those commands, the server leapt back to responsiveness. I was able to access it in ARD without problem. Also, after about an hour I checked the CPU diagram in Server Admin and was able to see a noticeable improvement.

OS X Server CPU back to normal

Now that’s a sight for sore eyes. For reference, I was running 10.5.3 and ARD 3.1 when this problem happened. I’m not sure that anything has been fixed in 10.5.4 though.

Spotlight Rejiggered in Leopard

I’ve heard a lot of rumors about Spotlight now actually ‘working’ in Leopard. That’s good news, because it was a total bust in Tiger. I liked the idea of it, but it was just too damn slow to actually be useful and I ended up using Quicksilver instead.

In More Goodies in Apple’s New Operating System, David Pouge mentions two new features in Spotlight (other than fixing the molasses problem) I wasn’t aware of.

Menu bar calculator:

[Spotlight] is also a tiny pocket calculator now. Hit Command-Space, type or paste 38*48.2-7+55, and marvel at the first result in the Spotlight menu: 1879.6. You don’t even have to fire up the Calculator.

This is a neat idea, and if I could train myself to actually use it, it would be useful.

Dictionary lookups

The Spotlight menu also searches the Leopard dictionary now. If you type, for example, “schadenfreude” into the Spotlight box, the beginning of the actual definition appears right there in the menu. Click it to open Dictionary and read the full-blown entry.

Um, interesting example word. Anyway, one of my favorite features in OS X is the ability to move your mouse cursor over any word (in a Cocoa app) and press Ctrl + Cmd + D and get a little pop up that defines the word.

Schadenfreude OSX word lookup

I’ve been steadily beefing up my vocabulary by using this feature. Sometimes this little trick isn’t enough though and I have to go to the real dictionary. I usually use Dashboard for this, but in general I’m really not a fan of it. This new Spotlight trick is great.

New Font Features in Leopard

Typographi has a post on Grading the New Font “Features” in OS X Leopard. There is some good information on font improvements that I haven’t heard about elsewhere. The feature to print out Font Book pages sounds nice.

The feature that really got me excited1 though was this:

Automatically activate fonts as you need them. When an application requests an installed font that’s currently disabled, Leopard activates that font and keeps it active until the requesting application quits.

If this feature actually works and works well with lots of fonts, it’s easily got to be one of the killer features of Leopard. Seamless font auto-activation built into the os is worth the price of admission alone. How many other font management applications cost money and don’t really work (other than of course FontExplorer X, which is free)?

I’m not holding my breath though.

  1. By excited I mean pessimistically hopeful.


appointive
appointive
appointive
appointive