Home Forums OS X Server and Client Discussion Open Directory Can’t bind 10.5.6 client to 10.5.6 server with Kerberos

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • February 3, 2009 at 10:47 pm #375308
    Carter
    Participant

    I saw a similar post in the forums for this, but there was never any response. I’ve got a newly created 10.5.6 server setup as an OD master. DNS is running and Server Admin says Kerberos is running. Now I’m trying to bind my first client to it and it won’t bind. Directory Utility looks like it is starting to bind and then just seems to quit with no error messages or anything. I went back to the server and disabled the Kerberos related binding options (Digitally sign packets, encrypt all packets, block MITM attacks) and then the client was able to bind just fine. Very frustrating.

    Went and checked the “Password Service Server Log” (ApplePasswordServer.Server.log) and I can see where my Kerberos authentication succeeds when I attempt to bind. Then went to check the system.log on the client and this is what I’m seeing immediately after attempting to bind with Kerberos:

    [code]
    Feb 3 17:39:21 bender com.apple.KerberosAutoConfig[4301]: The machine is standalone
    Feb 3 17:39:21 bender com.apple.KerberosAutoConfig[4301]: Removing /Library/Preferences/edu.mit.Kerberos
    Feb 3 17:39:21 bender com.apple.KerberosAutoConfig[4302]: The machine is standalone
    Feb 3 17:39:21 bender com.apple.KerberosAutoConfig[4302]: Removing /Library/Preferences/edu.mit.Kerberos
    Feb 3 17:39:21 bender com.apple.KerberosAutoConfig[4303]: The machine is standalone
    Feb 3 17:39:21 bender com.apple.KerberosAutoConfig[4303]: Removing /Library/Preferences/edu.mit.Kerberos
    Feb 3 17:39:25 bender com.apple.KerberosAutoConfig[4304]: The machine is standalone
    Feb 3 17:39:25 bender com.apple.KerberosAutoConfig[4304]: Removing /Library/Preferences/edu.mit.Kerberos
    Feb 3 17:39:25 bender com.apple.KerberosAutoConfig[4305]: The machine is standalone
    Feb 3 17:39:25 bender com.apple.KerberosAutoConfig[4305]: Removing /Library/Preferences/edu.mit.Kerberos
    Feb 3 17:39:25 bender com.apple.KerberosAutoConfig[4306]: The machine is standalone
    Feb 3 17:39:25 bender com.apple.KerberosAutoConfig[4306]: Removing /Library/Preferences/edu.mit.Kerberos
    Feb 3 17:39:25 bender com.apple.KerberosAutoConfig[4307]: The machine is standalone
    Feb 3 17:39:25 bender com.apple.KerberosAutoConfig[4307]: Removing /Library/Preferences/edu.mit.Kerberos
    [/code]

    Is it possible something is bad on the config on my client box? Should I try to bind with another machine?

    Thanks in advance for the help.

    February 4, 2009 at 2:58 pm #375316
    Carter
    Participant

    I have the following settings for Open Directory’s binding policies – hope this is what you’re referring to.

    -Enable Authenticated Directory Binding – YES
    -Require authenticated binding between directory and clients – YES
    -Disable clear text passwords – YES
    -Digitally sign all packets (requires Kerberos) – YES
    -Encrypt all packets (requires SSL or Kerberos) – YES
    -Block man-in-the-middle attacks (requires Kerberos) – YES
    -Disable client-side caching – NO
    -Allow users to edit their own contact information – NO

    February 5, 2009 at 8:07 pm #375328
    ntownsend
    Participant

    I have the same problem.
    10.5.6 OD Master 10.5.6 Server bound as “Connected to a Directory Server” The join Kerberos button prompts me for a dir admin user and password. The slapconfig log on the client spits out:

    Contacting the directory server
    Creating the service list
    Creating the service principals
    Creating the keytab file

    — key tab file stuff

    Configuring services
    WriteSetupFile: setup file path = /temp.5qal/setup

    The “Join Kerberose” button does not disappear.

    February 5, 2009 at 9:01 pm #375329
    Carter
    Participant

    [QUOTE][u]Quote by: ntownsend[/u][p]I have the same problem.
    10.5.6 OD Master 10.5.6 Server bound as “Connected to a Directory Server” The join Kerberos button prompts me for a dir admin user and password. The slapconfig log on the client spits out:

    Contacting the directory server
    Creating the service list
    Creating the service principals
    Creating the keytab file

    — key tab file stuff

    Configuring services
    WriteSetupFile: setup file path = /temp.5qal/setup

    The “Join Kerberose” button does not disappear.[/p][/QUOTE]

    That doesn’t sound like my problem at all.

    February 6, 2009 at 9:02 pm #375336
    tlarkin
    Participant

    Have you guys tried making the server a replica, then after it replicates demoting it to just part of a directory? Just wondering if that made any difference. Kereberos works fine on my servers but all of mine are replicas of a master.

    February 6, 2009 at 9:36 pm #375337
    Carter
    Participant

    I’ve got just a single server. So there’s really no use in trying to make it a replica.

    February 6, 2009 at 9:52 pm #375339
    tlarkin
    Participant

    Is it an Open Directory Master? You may need to have that enabled for kerberos to work in full effect. I am not sure on that though, but it would be easy to try.

    February 7, 2009 at 1:34 pm #375342
    Carter
    Participant

    [quote]’ve got a newly created 10.5.6 server setup as an OD master. DNS is running and Server Admin says Kerberos is running. Now I’m trying to bind my first client to it and it won’t bind.[/quote]

    See my original post for all the details.. Thanks.

    February 7, 2009 at 11:29 pm #375343
    tlarkin
    Participant

    [QUOTE][u]Quote by: Carter[/u][p][quote]’ve got a newly created 10.5.6 server setup as an OD master. DNS is running and Server Admin says Kerberos is running. Now I’m trying to bind my first client to it and it won’t bind.[/quote]

    See my original post for all the details.. Thanks.[/p][/QUOTE]

    That is where I am getting confused. So, the log says it can’t bind because the server is a stand alone? Yet you say it is configured as an Open Directory Master? Well, what happens if you launch kerberos manually from /System/Library/CoreServices/Kerberos (or where ever it is located, that is just my best guess with out being near a Mac at the moment) and see if you can get an ticket from your ODM manually. Then try to bind, log in, etc and whatever else you are trying to accomplish.

    I have a very simple set up at work. 1 ODM 6 T1 ODRs and 10 T2 ODRs, and I just set up open directory, sync’d LDAP, and all of my clients can bind to the ODM or a replica no problem. I didn’t turn on anything special. I also have all my IPs and DNS in order though.

    March 24, 2009 at 4:48 pm #375795
    schilled
    Participant

    Carter-
    I am having the same issue and I am not going to be much help. Just like you if I turn off all of the security settings and the most important one to me, Trusted Binding I can connect the computers just fine but then they are not available for customizing the settings for groups. I get the same client error:

    com.apple.KerberosAutoConfig[11709] The machine is standalone
    com.apple.KerberosAugoConfig[11709] Removing/Library/Preferences/edu.mit.Kerberos

    If anyone has any ideas please post up.

    March 25, 2009 at 6:41 am #375803
    matx
    Participant

    Seeing something similar with a new Mac OS X 10.5.6 server which can bind once or twice, then suddenly can’t bind and the OD Master reports that it is standalone and the LDAP/PD db is wiped. Really weird. And Kerberos stops. Fun.

  • Author
    Posts
Viewing 11 posts - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2026 AFP548. All Rights Reserved.