Clients bind to Open Directory but can’t connect

[giskard22]

I think I’m having the same problem that was discussed in this thread but I need a real solution that tells me what’s going wrong, not a workaround using .local. I think my setup may be a bit different:

I’m testing 10.4.2 Server. At the moment it’s set up as a NAT gateway (2 ethernet ports). It’s running DNS, but mostly as a forwarder to our real LAN’s DNS server. I did, however, add a non-existent zone (test.bed) just so I could experiment. The server’s FQDN for the internal-side IP is main.test.bed (the external IP also has a FQDN, but in a different domain).

When I created the Open Directory, I set the kerberos realm to MAIN.TEST.BED and the search base to dc=test,dc=bed. This was not the default (those used the FQDN for the external IP). I am able to bind a client computer using Directory Access, but when I reboot the client it can’t actually connect to the directory. I get the message, in the client’s system.log:
DirectoryService[35]: DSLDAPv3PlugIn: Required Policies not Supported: No ClearText. LDAP connection for Node main.test.bed denied.

On the server, ApplePasswordServer.Server.log contains these for every time I booted the client:
Aug 2 2005 14:32:41 KERBEROS-LOGIN-CHECK: no principal (@MAIN.TEST.BED)
Aug 2 2005 14:32:41 QUIT: {no user} disconnected.

slapd.log contains:
Aug 2 14:32:41 tiger slapd[348]: SASL [conn=84] Failure: no user in database

I have this vague idea that the problem is I’m trying to “attach” an Open Directory to an IP and FQDN that is not the server’s primary network interface. I searched the Apple docs for “kerberos principal” and found out to try this:

tiger:/var/db/krb5kdc root# kadmin.local -q list_principals
kadmin.local: Improper format of Kerberos configuration file while initializing krb5 library

So now it seems like something is messing up when the server initializes the Open Directory and Kerberos systems. Any ideas for a fix? I’ve set up the server basically from scratch several times now (I set up the server as standalone, configured NAT, Firewall, DNS, etc and made a disk image which I keep starting over from) and this happens every time.

[giskard22]

Sorry for so much material, but I look at the slapconfig log and found lots of incriminating stuff that I don’t know how to deal with. This appears to be the sequence of what happens when I try to turn the server into an Open Directory Master.

2005-08-02 12:37:23 -0700 - slapconfig -createldapmasterandadmin
2005-08-02 12:37:23 -0700 - Creating password server slot
2005-08-02 12:37:23 -0700 - command: /usr/sbin/mkpassdb -u diradmin -p -q
2005-08-02 12:37:24 -0700 - command: /usr/sbin/mkpassdb -a -u root -p -q
2005-08-02 12:37:24 -0700 - command: /usr/sbin/NeST -startpasswordserver
2005-08-02 12:37:26 -0700 - Starting LDAP server (slapd)
2005-08-02 12:37:30 -0700 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=test,dc=bed -w ****
2005-08-02 12:37:31 -0700 - Configuring Kerberos server, realm is MAIN.TEST.BED
2005-08-02 12:37:31 -0700 - command: /sbin/kerberosautoconfig -r MAIN.TEST.BED -m tiger.ailvlabs.edu -u -v 1
2005-08-02 12:37:32 -0700 - command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 MAIN.TEST.BED
2005-08-02 12:37:34 -0700 - kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for [email protected]; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
Adding the new KDC into the KerberosClient config record
Finished
2005-08-02 12:37:34 -0700 - command: /usr/sbin/sso_util configure -r MAIN.TEST.BED -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 all
2005-08-02 12:37:37 -0700 - sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for xgrid/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for vpn/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for ipp/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for XMPP/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for host/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for smtp/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for http/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for pop/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for imap/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for ftp/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for afpserver/@MAIN.TEST.BED; defaulting to no policy
Creating the keytab file
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
Configuring services
WriteSetupFile: setup file path = /temp.OxZV/setup
Unable to configure service http error = 2
Cleaning up 
2005-08-02 12:37:37 -0700 - command: /usr/sbin/sso_util configure -r MAIN.TEST.BED -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 ldap
2005-08-02 12:37:37 -0700 - sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for ldap/@MAIN.TEST.BED; defaulting to no policy
Creating the keytab file
kadmin: No entry for principal ldap/@MAIN.TEST.BED exists in keytab WRFILE:/etc/krb5.keytab
kadmin: Error writing to key table while adding key to keytab
Configuring services
WriteSetupFile: setup file path = /temp.vfqW/setup
Cleaning up 
2005-08-02 12:37:37 -0700 - command: /sbin/kerberosautoconfig -u -v 1
2005-08-02 12:37:37 -0700 - kerberosautoconfig command output:
The machine is standalone
Removing /Library/Preferences/edu.mit.Kerberos
2005-08-02 12:37:37 -0700 - kerberosautoconfig command failed with status 255
2005-08-02 12:37:37 -0700 - command: /usr/sbin/mkpassdb -kerberize
2005-08-02 12:37:38 -0700 - mkpassdb command output:
kadmin.local: unable to get default realm
kadmin.local: unable to get default realm
2005-08-02 12:37:38 -0700 - command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
2005-08-02 12:37:39 -0700 - slapconfig -setldapconfig
2005-08-02 12:37:39 -0700 - command: /usr/sbin/mkpassdb -setreplicationinterval 86400 SyncAnytime
2005-08-02 12:37:47 -0700 - slapconfig -setmacosxodpolicy
2005-08-02 12:37:48 -0700 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2005-08-02 12:42:34 -0700 - slapconfig -setmacosxodpolicy
2005-08-02 12:42:34 -0700 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

Here’s the part that I don’t understand:
2005-08-02 12:37:31 -0700 – command: /sbin/kerberosautoconfig -r MAIN.TEST.BED -m tiger.ailvlabs.edu -u -v 1

According to ‘man kdcsetup’, that’s the format you would use to create a standard MIT KDC. You use a different set of switches to create an “Apple KDC” for use with Open Directory. So why is the server creating the wrong kind of KDC (or is it)?

[giskard22]

Thanks for the reply. I guess I’m hoping for a real fix rather than a workaround. I know my setup sounds a bit odd, but is it really? Apple put an emphasis on 10.4 Server acting as a gateway for small networks, even going so far as to create a Setup Assistant for that purpose. It doesn’t seem like it should be hard to do what I’m doing. Is the problem simply that I’m trying to relate everything to a fake internal DNS zone? I know in a production environment you’d have a real one to work with, but I’m just testing here.

[giskard22]

I started from scratch and it’s all working. I guess Open Directory really does need a real, working FQDN.

[Anonymous]

I recently added a second IP to my primary ethernet interface, and I think that is confusing the directory services because the FQDN for it is different. I tried adjusting the sort order so it was lowest on the last (even past internal IPs) and it still has the problem

[Anonymous]

Hi,
I’m having similar problems, I’ve isolated it to an additional zone I’ve added in DNS. This is what really sux’s about the Tiger DNS interface, the Reverse lookup zones are hidden and unpredictable (actually last zone added).

When you add 2 “NS” or “A” records for a host in two different zone, this configuration is required to support multiple domain names, which they have added support for in mail/postfix and apache but broken in the DNS interface.

IF this returns the wrong information

nslookup 10.0.4.10 (your server ip address)

modify /var/named/db.10.0.4 as appropriate

[Author]

Posts