Home Forums OS X Server and Client Discussion Active Directory edu.mit.kerberos file questions

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • April 13, 2006 at 2:14 pm #365966
    mhelman
    Participant

    Hi,

    I have 10.3.9 clients authenticating to AD and being managed by Computer Lists from OS X Server.

    I am working at solving an occasional problem where the user can either not authenticate via AD or can but loses their automounting windows share.

    I can see when this happens that the AD information is no longer generated in the edu.mit.kerberos file.

    It has been suggested that making the file static fixes the problem – and it does, however, it has also been suggested that fixing the problem this way may cause other problems later.

    Two questions then for those who know:

    1. I’ve noticed that the auto-generated file may sometimes contains:

    #autogenerated from: /Active Directory/addomain.com

    or

    #autogenerated from: /Active Directory/addomain.com, /LDAPv3/oddomain.com

    So, if I were to remove the OD information from the line, would it stay that way and just autogenerate the file from the AD domain from then on?

    2. In reading up on the edu.mit.kerberos file, mit says that "You should always have a configuration file that has a [libdefaults] section with a default_realm specified. Otherwise, getting Kerberos tickets at login time may fail."

    The [libdefaults] that is autogenerated for me only contains:

    ticket_lifetime = 600
    dns_fallback = no

    Would adding the default realm also help fix the problem. It appears so, but I don’t look after AD so I’m not sure of what problems adding this in will cause (if any).

    For those interested, there is a thread on this at the MacEnterprise list.

    Thanks,
    Mark

    April 13, 2006 at 7:59 pm #365975
    mhelman
    Participant

    [QUOTE][u]Quote by: macshome[/u]

    Most of the time in a magic triangle setup you will want to remove or rename the client KDC info in the OD database to prevent it from polluting the edu.mit.Kerberos files on the clients.

    Apple has a KB on it here.

    [/QUOTE]

    OK, I’ll make the change on the Server 😉

    I just don’t like removing functionality so I was looking for another way.

    Hopefully this will do the trick. Thanks!

    Mark

    June 10, 2006 at 8:06 pm #366388
    mhelman
    Participant

    The KB you suggested worked great – thanks!

    Now that I am happy with the Server I have set up a Replica, however, I noticed that the KDC is not running.

    This replica is 10.3.9 and was taken from Standalone directly to Replica.

    Am I correct in assuming that since the Server is no longer handing out Kerberos information that the Replica would be unable to run a KDC?

    If so, (and since I am only using the Server and Replica to serve preferences for the Guest Computer List) would leaving things as is be advisable?

    If not, what do I need to do to get the KDC running?

    Thanks,
    Mark

    June 10, 2006 at 8:08 pm #366389
    mhelman
    Participant

    Just to be clear, the KDC is running on the OD Master, but not on the Replica.

    June 21, 2006 at 2:05 am #366463
    mhelman
    Participant

    Just in case anyone reads this thread and is looking for the answer – in this setup the KDC showing as stopped is the expected behaviour on the Replica.

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.