Home Forums OS X Server and Client Discussion Active Directory edu.mit.kerberos-Problems

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • March 7, 2005 at 2:23 pm #360904
    frido
    Participant

    Hello!

    I have the following setup:
    -XServe G5 as Open Directory Master, bound to a Windows AD domain, KDC is stopped (running OS 10.3.7)
    -second XServe G5 as Open Directory Replica server, also bound to AD, KDC is also stopped
    -clients bound to AD domain (for user accounts and passwords), XServe´s OD domain second in Directory Services (for MCX info), clients running 10.3.5

    The problem that I have now is that when I bind my clients to AD for the first time, the edu.mit.kerberos-file is correctly listing the AD Domain and the Xserve´s domain, but after a while (could not pin it to a time interval yet) the file gets changed and only shows only the XServe´s domain (and therefore,my users cannot login.
    I have worked around this by removing the “autogenerated by”-lines from edu.mit.kerberos, but I´d really like to know WHY the client thinks the AD-Realm is gone…

    Bye, Frido.

    March 7, 2005 at 10:50 pm #360910
    AMSR
    Participant

    The reason is because your clients are bound to both AD and OD, both which push Kerberos config files to your clients. Sometimes they get along and both realms make it into your edu.mit.Kerberos file, and sometimes they are out of sync, and one wins over the other.

    See:

    http://docs.info.apple.com/article.html?artnum=300765

    Also, you really don’t need to have either of your OD master/replica bound to AD. You can manage the user accounts from a client workstation that is bound to AD, and it will cause your servers less headaches. They don’t seem to like to be both bound to AD and providing LDAP services at the same time.

    March 9, 2005 at 1:20 pm #360925
    frido
    Participant

    Thanks, that fixed it…
    Also I will remove my OD master from ADS, but then, as far as I understand it, my users can not log in with their AD credentials anymore…

    Bye, Frido

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.