Changing Kerberos Realm Name

[hami]

Hi I’m hoping someone can help me here,
I had to change the fully-qualified domain name of my server from [i][b]servername.domain.net[/b] [/i]to [i][b]servername.domain.lan[/b][/i]. To this I ran this changeip command:
[code]changeip /LDAPv3/127.0.0.1 10.0.1.1 10.0.1.1 servername.domain.net servername.domain.lan[/code]
That all worked well except that the Kerberos realm name still seems to be set to the old server name. It shows up looking something like this:
[code][email protected][/code]
Also the Open Directory search base is still set to the old domain [i][b]dc=servername,dc=domain,dc=net[/b][/i] and not the new domain settings. Everywhere else the search base is correct [i][b]dc=servername,dc=domain,dc=lan[/b][/i]. Unfortunately I can’t change this field in Server Admin to correct it.

How do I change the name of the Kerberos Realm and how do I change the search base for the Open Directory? (The server is the Open Directory Master)

I probably think I messed up the changeip command so I hope there is a way to fix this otherwise I think I’m going to have to setup the Open Directory master from scratch again but that seems a little drastic.

thanks in advance,

/ Hami

[maccanada]

Let me prefix this with the warning that it’s really early, it’s Monday morning and i haven’t had coffee yet.

The Kerb realm can be created or destroyed using sso_util and the search base for OD would be stored in /etc/openldap/slapd_macosxserver.conf.
There may well be other things that need to be changed.
However, I’ve not tried to hand-craft a change such as this, so I can’t say if changing things like this will work.
You’l also need to check that the new hostname correctly resolves forward and reverse.

~Ian

[hami]

Thanks for the quick response Ian,

I’m pretty confident I can fix the slapd_macosxserver.config but the sso_util seems to be a bit out of my league. Is there any tutorials about that would explain what I need to do and how I need to do it?

I’m thinking the best course of action might be to blow the server out and start again with the correct info from the start.

thanks,

/ Hami

[maccanada]

Redoing from scratch may well be the easiest and most stable option, but we did an article a while back on Kerberos:
[url]https://www.afp548.com/article.php?story=20060714092117916&query=kerberos[/url]

The man page is also fairly useful:
[code]man sso_util[/code]

~Ian

[XFox]

[QUOTE][u]Quote by: maccanada[/u][p]The Kerb realm can be created or destroyed using sso_util[/p][/QUOTE]

I read the man page of the sso_util command but it didn’t help me.
I need to change the Default Realm Name from something like SERVERNAME.DOMAIN.LAN to DOMAIN.LAN.
With sso_util I only managed to get these informations:

[CODE]servername:/ root# sso_util info -g
Default Realm Name: SERVERNAME.DOMAIN.LAN
servername:/ root# sudo sso_util info -r /LDAPv3/127.0.0.1/
This machine is part of a kerberized directory, realm name is:SERVERNAME.DOMAIN.LAN[/CODE]

How can I change the Default Realm Name?

[VirtualWolf]

Sorry for the bump of an old thread…

Was there a way to easily change the Kerberos realm name? Or at least a step by step guide. I couldn’t glean much of use from the sso_util manpage either, and I don’t really want to bollocks everything up blindly flailing around trying things. 😉

[samiam872]

This would be very useful… I had the same thing happen. reverse DNS is in place, the rest of the server has accepted the changeip command. just the KDC has not been updated. …. maybe a way to kill the KDS services with out having to demote the ODM and then build kerberos again?

[samiam872]

If you demote an ODM to standalone, and then build it again, can you restore your ldap directory? it seems like you can but on a test server this is not working either.

[Author]

Posts