Home Forums OS X Server and Client Discussion Open Directory 10.5 OD Master 10.4 Server

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • August 20, 2008 at 3:39 pm #373832
    trice
    Participant

    I currently have a 10.5 server that is serving as an od master and a 10.4.11 server (hosting afp sharepoints) that I would like to connect to it. On the 10.4 machine in server admin, under open directory, I selected connected to a directory system and filled in all of the required information, including all of the kerberos info. The 10.4 server seemed to connect fine and if i went into workgroup manager on that machine I could see all of my OD users. However the problem came when I logged into a client and attempted to connect to one of the afp shares. It would present me with a kerberos login box instead of automatically mounting the share as it did when the od master was running 10.4. I tried demoting the afp server to standalone and then reestablishing the settings but that didn’t work either. Sometimes instead of using the GUI i would run (from the command line) sso_util configure -r REALM.NAME -a admin -p password all, which seemed to execute ok except for the following error “Unable to configure service http error = 2”. This also happened after i deleted the keytab files and started over. Any ideas? The only thing I can think of is then when upgrading from 10.4 to 10.5 on the master I did change the realm name, I did that following Apple’s guidelines. I did have to forcebily merge the existing database with the new realm but logins and everything else seem to be working fine. Kerberos is running on the OD master and I am able to create other 10.5 replicas with no issues. Any thoughts?

    tom

    August 20, 2008 at 3:58 pm #373833
    trice
    Participant

    If i go into the kerberos app on the client it shows not tickets have been requested. If i request a ticket from the kerberos realm I can then connect to the afp shares without being presented with a logon box. – If i add a completely new user then they get the tickets fine. So it seems something got screwed up in the migration of server names. I followed the instructions here http://docs.info.apple.com/article.html?artnum=107702 which did in fact remove the duplicate realm names that existed, but current users are still not granted tickets upon logging in.
    Looking at the users in the inspector window in WGM, it shows that they do indeed list kerberos as an authentication authority, but it has the old realm listed. Any ideas on how to fix this for everyone?

    Any thoughts on how this can easily be fixed without forcing 5000 users to reset their passwords after i reimport them?

    tom

    August 21, 2008 at 2:40 pm #373851
    trice
    Participant

    Correct, they are not getting tickets automatically on login. Haven’t tried kinit from the command line, but have used the Kerberos GUI app on the clients and they can get tickets that way. In the Authentication Authority and the dsAttrTypeNative:AuthAuthority fields under the inspector window in WGM the old realm name is listed under the kerberos values. If I edit those fields to the new realm name it doesn’t change anything. If I add a brand new user, then all is well. They have the correct info listed in WGM and can connect to Kerberized shares without being prompted for a password.

    tom

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.