Add Kerberos Record Failing – can’t kerberize

[dom9inic]

Hi all,

Clean install of 10.4.3 server, all updated. Standalone to OD Master promotion.

Created a new diradmin user through sys prefs to promote to OD master.

Created a Computer List in WGM using new diradmin user and pointed it to the local Xserve needed.

Tried adding kerberos record through Server Admin providing new diradmin details and computer record just created through WGM.

slapconfig log says (substituting sensitive info with **)

2005-12-05 13:45:12 +0000 - slapconfig -kerberize
2005-12-05 13:45:12 +0000 - Hostname kt-macserve-*****-**-**.local is from Rendezvous
2005-12-05 13:45:12 +0000 - Skipping Kerberos configuration

sys log says

Dec  5 13:21:42 kt-macserve-****-**-** /usr/sbin/mkpassdb: auxpropfunc error no mechanism available\n
Dec  5 13:43:56 kt-macserve-****-**-** /Applications/Server/Workgroup Manager.app/Contents/MacOS/Workgroup Manager: NSLXResolveDNS will try and resolve [kt-macserve.****.**.** [00:03:93:a8:cc:66]] of type [_workstation._tcp.] in location [local.]\n

Not sure what is going on here. It is obviously having issues finding the computer record I created through WGM, but why I don’t know.

If I then ignore the fact that the add process failed and hit Join, it does so with a warning that there is no policy.

Pretty stumped. Any ideas?

[dom9inic]

Hmm, the starred out portion of the namespace is the actual FQDN for our site, and I’ve specified the FQDN from the initial install. Not sure why this is happening.

I must admit, I was confused that the .local was tagging onto the end, but hey, that explains me not being able to login after binding to the OD Master.

Alright, back to my basic config disk image.

Cheers for that, not sure how it thinks it’s in the local namespace but there we go.

[dom9inic]

Hi MacTroll,

Will have to do this tomorrow, no VPN access from home for me. I did check that DNS forward and reverse resolved to the FQDN and that the sharing pref pane showed the FQDN.

As I am new to Tiger Server I was put off and unfamiliar with the rendezvous display of hyphens replacing dots in the FQDN.

It’s no problem to go back to base install with my ASR image as I’ve only just started with this server config.

Thanks for your help though, always appreciated.

[dom9inic]

So, I checked the hostname and sure enough it is tagging .local to the end of my FQDN. Think I shall re-image if I get a chance today and watch my step. Not sure where it would have taken the .local from, I sure as hell didn’t specify it.

Off we go again.

[dom9inic]

Alright, re-imaged to my stabdalone, double checked the config file I saved out at initial install, nothing to do with .local in my FQDN.

DNS works in standalone, but hostname still using the FQDN.local tag.

Promote to OD Master. Now in the Create new diradmin box, the search base is dividing up my FQDN to include dc=local, so I change it, removing that completely and doing the standard dc for all levels of the FQDN.

Server promoted, check hostname, still with the FQDN.local

As an example

exampe.com.local

Extremely irritating.

slapconfig says

2005-12-01 15:33:12 +0000 - slapconfig -setstandalone
2005-12-06 14:17:31 +0000 - slapconfig -createldapmasterandadmin
2005-12-06 14:17:31 +0000 - Creating password server slot
2005-12-06 14:17:31 +0000 - command: /usr/sbin/mkpassdb -u xs01diradmin -p -q
2005-12-06 14:17:33 +0000 - command: /usr/sbin/mkpassdb -a -u root -p -q
2005-12-06 14:17:33 +0000 - command: /usr/sbin/NeST -startpasswordserver
2005-12-06 14:17:35 +0000 - Starting LDAP server (slapd)
2005-12-06 14:17:39 +0000 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=machine-name,dc=fqdn,dc=ac,dc=uk -w ****
2005-12-06 14:17:40 +0000 - Hostname machine-name-fqdn-ac-uk.local is from Rendezvous
2005-12-06 14:17:40 +0000 - Skipping Kerberos configuration
2005-12-06 14:17:40 +0000 - command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
2005-12-06 14:17:41 +0000 - slapconfig -setldapconfig
2005-12-06 14:17:41 +0000 - command: /usr/sbin/mkpassdb -setreplicationinterval 86400 SyncAnytime

Think I shall install from scratch again, to see if there is anything in the initial config I can catch, but all ideas are welcome.

[dom9inic]

So something that stands out in the initial config, is the

Computer Name
Hostname Fields

I thought that both needed to be filled with the FQDN.
When you fill the hostname in, below, outside of the field it shows that it is automatically appending .local to it and there is nothing you can do.

So, this must be normal behaviour. Now, I presume that by changing to an OD master this .local tag is stripped, but that is not what happens for me.

Or is this normal? Does anyone else have the .local appended? Should I just use “$ hostname -s my.domain.eg ?

[dom9inic]

I see what you’re saying but, I do have reverse DNS setup. I can get the right infor with dig, host and nslookup. I’ve double checked with the DNS Admins.

I will try hard coding it in /etc/hostconfig to see if this makes the difference.

Very odd, especially as I’ve just sacked Jaguar server where the same DNS worked fine. Then again, I wasn’t trying to setup Kerberos.

Thanks for the input again.

[dom9inic]

Well, putting the FQDN in both /etc/hostconfig and /etc/hosts did the trick after a reboot.

When promoting, the search base was correct and without .local. The slapconfig log looks alright, but with a few grunts about not being able to configure http.

Thanks for the help guys.

[dom9inic]

I thought as much, considering this is a vanilla install, software updates applied in standalone, then merely promoted to OD master in Server Admin. Nothing else touched, save editing /etc/hostconfig and /etc/hosts

Quickly setup AFP to create my NetInstall Imaging share and access works as expected.

Cheers again,

[dom9inic]

Yes, I have been impressed with boot times in Tiger Server, how interesting.

Just wanted to say what a wonderful resource afp is and by extension you guys. Apple Documentation is handy but this is where you learn what is actually going.

Many Thanks,

[Author]

Posts