Home Forums OS X Server and Client Discussion Questions and Answers Kerberos on Connected to Directory System

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • July 2, 2007 at 11:44 pm #369418
    Dave Hagan
    Participant

    I have an ODM + 4 replicas. I just want to add a Tiger Server connected for a home directory server for Macs and PCs.

    So I do the whole thing with Directory Access and restart the server. When rebooted, and logged in, I see in Server Admin that Open Directory is not running — that’s fine. It’s got the little green light out and the three items — LDAP server, Password Server, and Kerberos all are “Stopped.”

    I have done this before and can have users login, etc. and not know the difference between a replica and connected to directory system. The thing is — I want to know — why are those things (LDAP, Password Server, and Kerberos) all off? I cannot Kerberize them. I tried this article here https://www.afp548.com/article.php?story=20060724104018616 and reading the manual carefully but no dice.

    It seems that this feature is broken…and has been…what am I missing? I’ll do a replica if that’s the recommend way. It’s always worked and those features always seem to get lit up with replicas but WHY OH WHY does it always have to be this way?

    I hope this is fixed in Leopard Server because it’s really shaky to me. Log files tell me that it could not add a principal, but it always says this. I hate mucking around with my ODM — I need it to work.

    July 3, 2007 at 2:40 am #369422
    Dave Hagan
    Participant

    [QUOTE][u]Quote by: MacTroll[/u][p]I would expect Kerberos, LDAP and the PWS to be off as this server is hosting none of those services.[/p][/QUOTE]
    Well, do those 3 things need to be “Running” in order for it to be used as a home directory server? So what does Kerberos have to do with it? I am foggy on the significance of Kerberos on home directory servers. The manuals are vague on whether or not Kerberos is necessary when you have servers that are using the “Connected to Directory System” setting.

    Sorry I was venting earlier! 🙂

    July 4, 2007 at 1:19 pm #369433
    AMSR
    Participant

    With a system “connected to a directory system”, meaning its not a replica or a master, but you want people to be able to log into it via their OD name and kerberos password (single sign on), you need to bind it to your OD system using Directory Access. Then, if you haven’t already, add the new system to a computer list in WGM on your OD system and make sure you use the fully qualified domain name of the server. (ie server.example.com, as opposed to just ‘server’). And then finally in Server Admin click the “join kerberos” button. The first step establishes communication with the LDAP server, and the third step creates entries in the OD master called “service principals” for your new server. This third part is what tells your OD master to hand out kerberos authentication tickets for services on your new server, even though its not an OD server itself. Its considered part of the “realm”. If you really want to check it out on a more detailed level you can log into the OD master and use the kadmin.local command to run the “listprincs” command. This will allow you to list from the KDC all of the known hosts and services they offer via kerberos. Kerberos service principals are in the format of “service/[email protected]”. By default, when you click the “join kerberos” button in server admin, OSX server creates on the ODM’s KDC 3 of these entries for each service on the it provides for the host you are “joining kerberos” from…

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.