Can’t bind 10.6 Machines to 10.6 OD.

[Moofo]

We upgraded our server from 10.5.8 to 10.6 and everything works OK except this.

I always get a “wrong password” message when asked for the diradmin credentials.

It often works if we configure the OD manually in Directory Utility and add it to the search path. We can then bind it with no problems. Anyone knows why it’s not working ?

Also

How can we clear the a client machine config in regards to Kerberos and binding in general ? I’m using netrestore here and when I try to bind, I get a message that the record exists already when it does not.

[sunnyape]

Can you supply the dsconfigldap code you’re using to do the bind?

To reset the KDC database on an SOE image before deploying it, use something like :

[code]rm -rf /var/db/krb5kdc
/usr/libexec/configureLocalKDC[/code]

[Moofo]

Sorry for the late reply….

I’m binding manually using Directory Utility

this morning, I found that i can’t use diradmin anymore in my server with workgroup manager….

[jorban]

I’ve got EXACTLY the same issue.

When attempting to bind a cloned computer to Open Directory (10.6.2 XServe, 10.6.2 MacBook) I get a message that the record already exists, do I want to overwrite? I say, “Yes”, then the process throws an error that it can’t overwrite the record. I click “OK” to close the window.

When I open Workgroup Manager, lo and behold, the computer IS listed but there is no UUID. If I copy the UUID from the “About this Mac” window to WGM it APPEARS as if the laptop is bound, i.e. I can manage the laptop from the server.

When I used to clone Windows machines I had to run a mini-setup that, in effect, cleared the GUID (which I assume is the same as the UUID) so that the machines would appear unique to Active Directory.

Since I’m an idiot, I can’t seem to figure out how to do the same thing to a cloned Mac. I’ve also got issues with cloning machines but that’s for another thread.

Anyhow, before I get to cloning all my machines this summer I’d like to know what I’m doing wrong.

Thanks,
John

[Moofo]

First of all, in 10.5 and in 10.6, if you use netrestore, the destination disk of the machine you will restore will end up as “HFS+” not “HFS+ Journaled” which causes some problem with reliability on hard reboots. For this reason, there was always a script on the admin desktop of the image to:

Reset the KDC
Enable Journaling

My script seems to work on 10.6, execpt that it seems that it doesn’t replace the certificates in the system keychain. To avoid the “overwrite” problem you had, there is a simple fix

Before shutting down your master machine, go to the keychain and flush all entries in the system keychain. I would also flush /var/db/krb5kdc.

You can them create your image, however when you use it to restore a machine, remember to execute /usr/libexec/configureLocalKDC which seems to repopulate the system keycahin with a new seed.

You won’t have the “overwrite” problem anymore.

I still have to do a little dance to bind them though, the direct method seems to fail.

Oh and my diradmin probelm solved itself by simply backing up the OD and restoring it…

[tlarkin]

Did you wipe and reload or upgrade?

[Moofo]

I upgraded.

It wasn’t smooth, but so far it works !

All my problem were solved by backing up and restoring OD

[tlarkin]

I have had sketchy results with upgrades which is why I wipe and reload

[jorban]

Well, in order to use NetRestore you have to be able to create a system image. So far, in about 90% of the times I’ve tried, the System Imaging Utility creates the System.dmg image and then the program crashes. The only reliable image I’ve created is from the OSX install disk (which, of course, is useless with all the updates and such that have come out).

I had a discussion with Tech Support today and they admitted some “issues” with the System Imaging Utility. Have NO IDEA what that means, except that perhaps others are having the same problem.

I have no doubt that NetRestore solves this problem, but until I can create a reliable image, I can’t really use NetRestore.

BTW, I attempted using the posted script:

Last login: Fri Feb 19 14:16:09 on console
SCI-03:~ administrator$ rm -rf /var/db/krb5kdc /usr/libexec/configureLocalKDC
rm: /var/db/krb5kdc: Permission denied
rm: /usr/libexec/configureLocalKDC: Permission denied

But it didn’t work.

OK…I’m an idiot…has to be run as root…and it’s two separate commands…I’m still learning…

Halle-freaking-lujah!

That fixed it…

The commands are:

$: sudo rm -rf /var/db/krb5kdc
Enter administrator password

$: sudo /usr/libexec/configureLocalKDC
May not have to enter the password again

Now I can bind the computer properly

[jorban]

Well, I thought I could edit the above post but apparently I can not.

Here are the EXACT steps to bind – at least what worked for me.

Step 1. – REMOVE the three com.apple.kerberos.kdc entries in the System part of Keychain Access. I suspect the terminal command is supposed to do that, but apparently it does not.
Step 2 – Reboot (I’m pretty sure this is necessary as I tried binding both before and after running the commands and binding did Not work)
Step 3 – After reboot, Run the two commands as root
Step 4 – Bind will now succeed.

When binding failed for me in the past the computer WAS added to WGM. I just added the UUID and the ethernet address and it appeared that the computers were now manageable from the XServer. While not bound the clients appeared to be so. I don’t know if this is because the Mac OS is forgiving or not.

I’m assuming the ONLY reason to bind to an XServe is for remote management? Even non bound clients seem to work with the network just fine.

So much to learn…so little time.

[andyboutte]

[QUOTE][u]Quote by: Moofo[/u][p]First of all, in 10.5 and in 10.6, if you use netrestore, the destination disk of the machine you will restore will end up as “HFS+” not “HFS+ Journaled” which causes some problem with reliability on hard reboots. For this reason, there was always a script on the admin desktop of the image to:

Reset the KDC
Enable Journaling

My script seems to work on 10.6, execpt that it seems that it doesn’t replace the certificates in the system keychain. To avoid the “overwrite” problem you had, there is a simple fix

[/p][/QUOTE]

Moofo can you post your script for enabling journaling? Also the process you use with the script? Do you use it with instadmg or after first boot? Thanks.

[Moofo]

The script is on the admin account desktop. We’re executing it prior binding.

Script:

sudo rm -fr /var/db/krb5kdc
sudo /usr/libexec/configureLocalKDC
sudo diskutil enablejournal /
exit

I guess there would be a better way to do it, but this works…

[jorban]

Thanks for the script!

John

[Author]

Posts