Another Kerberos Issue

[Carter]

Hey Everbody,

I’m about to pull my hair out. I’m trying to stand up a new Leopard Server box and I’m having a heck of a time getting Kerberos to start. This particular box started as a 10.5.6 client and was upgraded to server 10.5.6 before I started the DNS and Open Directory config. I followed the Leopard Quickstart Guide as featured [url=https://www.afp548.com/filemgmt_data/files/Leopard%20Server%20Quickstart%20Guide.pdf]here[/url] as I have done on other Server boxes before this one and for some reason I just can’t get Kerberos to get going. If anybody can help, I would greatly appreciate it! Here’s the output of slapconfig.log… MANY THANKS IN ADVANCE!

[code]2009-02-01 18:45:50 -0500 – slapconfig -setstandalone
2009-02-01 18:52:09 -0500 – slapconfig -setmaxnumberofdblocks
2009-02-01 18:52:09 -0500 – Updating bdb lock size to 10000
2009-02-01 18:52:09 -0500 – Not updating bdb lock size – Not an OD server
2009-02-01 18:52:10 -0500 – slapconfig -updateindexes
2009-02-01 18:58:23 -0500 – slapconfig -createldapmasterandadmin
2009-02-01 18:58:23 -0500 – Creating password server slot
2009-02-01 18:58:23 -0500 – command: /usr/sbin/mkpassdb -u diradmin -p -q
2009-02-01 18:58:23 -0500 – command: /usr/sbin/mkpassdb -a -u root -p -q
2009-02-01 18:58:23 -0500 – command: /usr/sbin/mkpassdb -a -u server.gocarter.me$ -p -q
2009-02-01 18:58:23 -0500 – command: /usr/sbin/mkpassdb -setcomputeraccount 0x4986371f6b8b45670000000300000003
2009-02-01 18:58:23 -0500 – Setting SASL realm to
2009-02-01 18:58:23 -0500 – command: /usr/sbin/mkpassdb -setrealm server.gocarter.me
2009-02-01 18:58:27 -0500 – Starting LDAP server (slapd)
2009-02-01 18:58:27 -0500 – command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=server,dc=gocarter,dc=me -w ****
2009-02-01 18:58:27 -0500 – command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
2009-02-01 18:58:27 -0500 – slaptest command output:
config file testing succeeded
2009-02-01 18:58:27 -0500 – Stopping LDAP server (slapd)
2009-02-01 18:58:30 -0500 – Starting LDAP server (slapd)
2009-02-01 18:58:30 -0500 – command: /usr/bin/ldapmodify -c -x -D uid=root,cn=users,dc=server,dc=gocarter,dc=me -w ****
2009-02-01 18:58:30 -0500 – Stopping LDAP server (slapd)
2009-02-01 18:58:30 -0500 – Starting LDAP server (slapd)
2009-02-01 18:58:30 -0500 – command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=server,dc=gocarter,dc=me -w ****
2009-02-01 18:58:30 -0500 – Attempting to open /LDAPv3/127.0.0.1 node
2009-02-01 18:58:30 -0500 – Opened /LDAPv3/127.0.0.1 node
2009-02-01 18:58:31 -0500 – Configuring Kerberos server, realm is SERVER.GOCARTER.ME
2009-02-01 18:58:31 -0500 – Removed directory at path /var/db/krb5kdc.
2009-02-01 18:58:31 -0500 – command: /sbin/kerberosautoconfig -r SERVER.GOCARTER.ME -m server.gocarter.me -u -v 1
2009-02-01 18:58:31 -0500 – command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 SERVER.GOCARTER.ME
2009-02-01 18:58:42 -0500 – kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for [email protected]; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
com.apple.kdcmond: Already loaded
The KDC is not running error = 3
Failed to configure error = 3
2009-02-01 18:58:42 -0500 – kdcsetup command failed with status 3
[/code]

[JonThompson]

I can’t help without actually playing with your setup as Kerberos setup is often picky at different parts of the process for different reasons. Anyhow, what I can do is point you to the information that allowed me to troubleshoot my Kerberos issues when I had them:

https://www.afp548.com/Articles/Panther/kerberos1.html
https://www.afp548.com/Articles/Panther/kerberos2.html

We’re still waiting on part three 😛

Anyhow, while they may seem dated; they aren’t. They are as valid in Leopard as in Panther.

as for directions in troubleshooting…

Since this is a new box, there is little harm in blowing out Kerberos (I’ve never really seen any harm in blowing it out on a production server, really, except that kerberos users can’t login during the blowout.) Follow these steps:

1) Use Launchctl to unload Kerberos related LaunchAgents (kdcmond)
2) Blow it out using the instructions in the kerberos 2 document linked above.
3) Re-create it using the instructions in the kerberos 2 document linked above.
4) Use Launchctl to load Kerberos related LaunchAgents if they are not loaded in step 3.

[Carter]

Thanks for the excellent info. I’ll look this over, try out your suggestion, and let you know how it works.

[JonThompson]

Any word?

[eclemens]

Your comments indicate that the machine was a 10.5.6 client before you upgraded to server?

If you have an OSX 10.5 client and “blow away” the Local KDC without deleting the KDC items in the system keychain, the same KDC will be re-created each time you think you are creating a fresh KDC. Since you started with client and upgraded to server, you probably have the original KDC which may be conflicting with the DirectoryServices Kerberos integration.

I would recommend starting from scratch: reformat the hard drive, install ONLY server, run all outstanding OS updates before configuring OD and Kerberos.

Trying to “clean up” the problem may work, but it is a little complex and the outcome is uncertain.

You’ll get better results with a fresh installation, properly configured.

[Author]

Posts