I have a Xserve running as a Open Directory Master and a PDC. This is working fine, but it has never been kerberized. When I try to do it from the GUI interface it keeps prompting for a password and never does anything.

I followed some guides on doing it all from the comand line and I am close but still get a few errors.

Can someone help me with intructions on what files to delete, so I have a fresh start?

The dns forward and reverse lookups all return the correct domain. xserve4.winterset.k12.ia.us
The sharing name is xserve4.local

Here are the commands I tried:

[b]kerberosautoconfig -r XSERVE4.WINTERSET.K12.IA.US -m xserve4.winterset.k12.ia.us[/b]

[b]RESULTS:[/b]
xserve4:/usr/sbin root# kdcsetup -f /LDAPv3/127.0.0.1 -w -a DIRADMIN -p ****** XSERVE4.WINTERSET.K12.IA.US
create: The database ‘/var/db/krb5kdc/principal’ appears to already exist
SendInteractiveCommand: failed to get pattern
WARNING: no policy specified for [email protected]; defaulting to no policy
add_principal: Principal or policy already exists while creating “[email protected]”.
edu.mit.kadmind: Already loaded
com.apple.kdcmond: Already loaded

[b]kdcsetup -f /LDAPv3/127.0.0.1 -w -a DIRADMIN -p ****** XSERVE4.WINTERSET.K12.IA.US[/b]

[b]RESULTS:[/b]
kdb5_util: File exists while creating/opening admin policy database.
WARNING: no policy specified for [email protected]; defaulting to no policy
kadmin.local: Principal kadmin/[email protected] does not exist.
kadmin.local: Principal kadmin/[email protected] does not exist.
edu.mit.kadmind: Already loaded
com.apple.kdcmond: Already loaded
xserve4:/var/db/krb5kdc root# Workaround Bonjour: Unknown error: 0
Workaround Bonjour: Unknown error: 0

[b]slapconfig -kerberize DIRADMIN XSERVE4.WINTERSET.K12.IA.US[/b]

[b]RESULTS:[/b]
DIRADMIN’s Password: (I type it in)
Removed directory at path /var/db/krb5kdc.
command: /sbin/kerberosautoconfig -r XSERVE4.WINTERSET.K12.IA.US -m xserve4.winterset.k12.ia.us -u -v 1
command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a DIRADMIN -p **** -v 1 XSERVE4.WINTERSET.K12.IA.US
kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
Adding the new KDC into the KerberosClient config record
AddKDCToConfig: KDC is already present in record
Finished
command: /usr/sbin/sso_util configure -r XSERVE4.WINTERSET.K12.IA.US -f /LDAPv3/127.0.0.1 -a DIRADMIN -p **** -v 1 all
sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
sso_util command failed with status 2
command: /usr/sbin/sso_util configure -r XSERVE4.WINTERSET.K12.IA.US -f /LDAPv3/127.0.0.1 -a DIRADMIN -p **** -v 1 ldap
sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
sso_util command failed with status 2
command: /usr/sbin/mkpassdb -kerberize (it sits here forever – have to do a CONTROL C)

[b]sso_util configure -r XSERVE4.WINTERSET.K12.IA.US -a DIRADMIN -p ****** all[/b]

[b]RESULTS:[/b]
Contacting the directory server
Creating the service list
Creating the service principals
SendInteractiveCommand: failed to get pattern

I had to manuall start the KDC service before doing all of this as it never runs automatically. We cannot reinstall the server as we are in the middle of the school year and have 1700 accounts and many XP systems joined to the domain and need Kerberos to work for our Leopard clients. They TAKE FOREVER to login to the Tiger server and I was told it was because Kerberos is not working.

We also want to use Spiceworks with authenticated users for the HelpDesk but it will not work until Kerberos is working. Spiceworks SETUP for the AD account fails without it.

Please help. 🙂

Lannie