AD and OD integration problems

[alternapop]

I’ve been following the instructions from bombich.com for integrating AD and OD…
http://www.bombich.com/mactips/activedir.html

i keep running into a couple snags. i’ve included the errors below and hope someone can provide some feedback as to what these errors mean, if they are important and how to correct them if so. (???)
sorry if this is confusing and too long. OD Master and my test client are both at 10.4.10

—–

when i initially create the Open Directory Master, if i have ssl enabled and set to use my self assigned cert, running this command
[code]sudo sso_util remove -k -a diradmin -p password[/code]
…in the Terminal returns this error:
[code]Cannot get the realm name from the directory
failed to update directory error is 2[/code]
my realm is set to org_name.edu

if i don’t have ssl and my cert set when i create the master, it seems to work. if ssl is on but set to use “custom config” then it seems to work.

also, enabling ssl on the client causes OD to fail on the client. i’m guessing whatever ssl problem i’m having on the server is the same causing the clients to fail when enabled.

—–

i can successfully sign in on a client mac that authenticates to our campus AD server. (client successfully bound to AD)

i can successfully manage the Mac client’s prefs with OD. checking the box for “Enable directory binding” under Open Directory > Policy > Binding > seems to cause Mac preference management to fail. why is this?

part of the documentation refers to being able to mount a fileshare without having to authenticate again, using kerberos… i can’t get this to work. either it gives an error or asks to authenticate. probably related to the above problems.

so what is going on here with kerberos and ssl? what might i be missing or doing wrong?

—-
errors following bombich instructions:

page VII-25

A.4.
[code]sudo dsconfigad -enableSSO[/code]

gives error:

[code]”Unable to configure service http error = 2
Unable to configure service HTTP error = 2
Cleaning up
Settings changed successfully;
[/code]

[alternapop]

1. Do you have any evidence, beyond a green light in Server Admin, that the SSL certificate is working?

not really i guess. how can i check this?

2. It doesn’t work to bind both to AD and to OD. Bind to AD and do an anonymous bind to OD. There’s nothing sensitive in the OD part of this, as there are no passwords, or even user information, in the OD LDAP server.

makes sense, thanks!

3. – First creating an OD Master and then joining AD?

Yes

– Do you do anything to disable the KDC on the Master before joining AD?

Yes

– sudo klist -kt

Yes, returns a bunch of lines in matching pairs of 3, except a couple which i presume are related to the error i get when running “sudo dsconfigad -enableSSO” which is ‘Unable to configure service http error = 2″

– cat /Library/Preferences/edu.mit.kerberos

Yes and returns many domains including my AD domain

———–
Here is step by step what I’m doing…

1. promoted to OD Master, selecting SSL and my self assigned cert
2. on server ran:

sudo sso_util remove -k -a diradmin -p [password]

returns:
shutting down kadmind
kadmind shut down
shutting down kdc
removing KDC from the KerberosClient config record
Contacting the directory server
[b]Cannot get the realm name from the directory
failed to update directory error is 2[/b]
kdc shut down
removing kdc database files

dscl -u diradmin /LDAPv3/127.0.0.1 -delete /Config/KerberosKDC

returns:
[b]Data source (/LDAPv3/127.0.0.1) is not valid.[/b]

3. started over, changed OD back to Stand Alone

1. promoted to OD Master (ssl not checked)
2. on server ran:

sudo sso_util remove -k -a diradmin -p [password]

returns:
shutting down kadmind
kadmind shut down
shutting down kdc
removing KDC from the KerberosClient config record
Contacting the directory server
Directory updated
kdc shut down
removing kdc database files

note: ssl is check but using “custom configuration”… didn’t change anything here by hand

3.
dscl -u diradmin /LDAPv3/127.0.0.1 -delete /Config/KerberosKDC
dscl -u diradmin /LDAPv3/127.0.0.1 -delete /Config/KerberosClient

4. bound server to AD successfully

5. sudo dsconfigad -enableSSO

returns a bunch of stuff, last 4 lines are:

Unable to configure service http error = 2
Unable to configure service HTTP error = 2
Cleaning up
Settings changed successfully

6.
sudo klist -ke
Keytab name: FILE:/etc/krb5.keytab
… a bunch of lines…

7. defaults read /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal
returns sfpserver/[…]

8. grep “realm” /etc/smb.conf
realm = [… AD realm …]

9. on the client:
when adding my OD, if SSL is checked, it gives an error that it can’t find the OD
when adding my OD, if SSL is not checked, it works and lets me manage the client
if i manually check ssl after successfully adding the OD, it doesn’t pick up the managed client prefs

—–

thanks a million for your time and help!
chris

[alternapop]

bump. sorry but i haven’t resolved this and am wondering if anyone has any insight. thanks

[Author]

Posts