Can’t Get Kerberos Going

[Shan Younker]

Server is bound to AD.
DNS is running on AD server. DNS name and IP resolve correctly.
OD is only service running on this server and server is setup as an OD master. My OD groups are composed solely of AD users.

Kerberos won’t start. Click the Kerberize button. Enter diradmin and password. Click OK – nothing happens.

Would demoting the server to standalone then back to OD master help with Kerberos? Will this hose the existing OD users?

As long as clients are bound to AD and OD, they are managed (MCX). If they are only bound to OD then they are not managed. I think kerberos is the issue. What logs can I look in to find the problem?

I’ve seen this issue on the boards here but no solutions.

update: when use sso_util to configure kerboros I get the following:
Contacting the directory server
Configuring for Active Directory
Unable to cofigure service http error = 2
Unable to cofigure service HTTP error = 2
Cleaning up

[Shan Younker]

All my computers are authenticating to AD. I’m unclear on whether I need to run Kerberos on my OD master too! However, some of my users are having the issue where they can’t log in. Their accounts are not locked in AD and a reboot typically solves this (educating the users on when to restart and when to call the help desk to reset their accounts is another issue). Apple has an article on something similar this http://docs.info.apple.com/article.html?artnum=300765 The gist is that at login the AD controller is slow to respond and the client is getting conflicting information (OD or AD), thus causing a login issue. It seemed to me that enabling Kerberos on my OD master may fix this issue.

Over the weekend I changed my server to Standalone then back to OD master, and kerberos still won’t start.

[Shan Younker]

Kerberos – thanks for the tip. I’ll stop chasing that one down. DNS is working as it should, both forward and reverse.

As far as the login issues go… The message my users are getting is along the lines – the system can’t log you in at this time. Checking with our AD admin, their accounts are active and unlocked. A restart has always fixed the issue. It’s happening on both 10.3.9 and 10.4.8 workstations.

Is there a log I can check to see if an error message is being generated?

[Shan Younker]

Not using network homes. I’ll browse the logs. I had a user this AM who had to reboot twice before he could log in. I’ll post what I find.

Thanks

[Shan Younker]

The logs are showing some problems. One is showing a ‘Couldn’t get computer data -14956’ error. I found a similar issue here on AFP so I’m going to try deleting the files in /library/preferences/directoryservices and the plist in ~/library/preferences

I also found the directory services crash log which is showing KERN_PROTECTION_FAILURES. Hopefully deleting the files then binding to AD and OD again will clear this up.

[2smuth]

I’ve had that alot where a reboot of either the xserve or client fixed it, for me it was DNS timing. My centralized DNS takes a big hit at times, have you tried enabling DNS on the xserve and doing a cache? It settled the problem for me with remote sites on T1s not getting the response times necessary.

[Shan Younker]

I haven’t tried that. How do you set it up?

[Author]

Posts