DNS Setup for Open Directory Children

[Dave Hagan]

I am curious. I have setup a server as an Open Directory Master. Works great! DNS is functional, KDC works, and I’m able to login on both Mac and PC without a hitch. Now what I would like to do is add two additional servers for AFP network home directories. They would be children to the OD Master. How I would setup the DNS on them? Would I set it up identical to the way I setup the OD Master Server, except for the names of the servers? Your suggestions/help is graciously appreciated!

[Dave Hagan]

[QUOTE BY= macshome] Are these going to be domain members or replicas? In any case you can just make entries for them on the master DNS server and then tell them to look there for DNS info. If you wanted to you could set them up as DNS slaves in Server Admin as well just to have some more redundancy.[/QUOTE]Can you tell me how to do this?

I added a record to DNS to reflect the new server, and it digs, but how do I configure it to the master? Should KDC be running on it too? Do I have to configure its DNS too?

[Dave Hagan]

Okay, Josh,

I got the replica to work! Wahoo! Everything is slicker than slick…however…

What if I want the server to just be a domain member? My understanding is that creating a replica is a performance hit, and I will have some 160 users logged into the AFP server. I had intended on using another server strictly for the replica. Any thoughts?

[Dave Hagan]

I Should rephrase that…What if I want my server to be connected to a directory service?

[honestpuck]

Dave,

You said:

[QUOTE]
I Should rephrase that…What if I want my server to be connected to a directory service?
[/QUOTE]

Ok, short explanation of how OD works. An OD Master sits at the top of the tree. A LAN/WAN should only have one of these. An OD Replica is a copy of this that can be used to take the load off the Master or as a LAN copy of a WAN OD Master (I have a Master in one city and a Replica in another city, for example). An OD Slave is a server that does not offer any directory services at all but uses another server (either Master or Replica) to authenticate users for services such as mail serving and file sharing.

So if you want a server to be used only for stuff other than authenticating use Server Admin to make it an OD Slave and point it at your OD Master. Job done.

Just to make this reply topical to the DNS section – make sure that your DNS server has both forward and back entries for your OD Slave. In fact, always make sure every server you build has forward and back entries in your DNS before you do the Server software install, it makes life so much easier. Oh, and when doing the Server install just point them to your DNS boxes as if they were a client.

Tony

[Dave Hagan]

Well, I successfully connected as a replica. Only problem is now I cannot login. It says logging in…and it stays at the barber pole logging in window for infinity…any suggestions?

[honestpuck]

OK, if your server is a replica have you made sure that you’ve already pushed the directory information from the master to it?

Log on and try something like a ‘slapcat’ to dump out the LDAP server records. That should show you if you have the information.

If that seems OK then try logging in via ssh from a client that is pointed at your replica. If that works then on your client try getting a Kerberos ticket. If that works then try mounting an AFP share as the user you have a ticket for. then try logging into the client as a network user.

But from you’re original post that these servers are for home directories then they are only for AFP so I’d make them Slaves if i was you. No point in having them as Replicas.

Tony

When you see which of those bits work and not work you’ve got a better idea where you’re broken.

Tony

[Dave Hagan]

Ahhh yes, slaves…what I wanted to do…

I tried the whole slave routine with OS X Server – you know – “Connected to a Directory Server.” Here’s the question though. Does DNS have to be fully functional on the slave? I was successful in creating a forward and reverse A record in my master’s DNS. However, I feel that has something to do with.

What I need is explicit instructions on how to connect a slave and I’ll be home free. Thanks-a-bunch.

[Dave Hagan]

Also what is “try something like a ‘slapcat’ to dump out the LDAP server records” and how do I do it?

[honestpuck]

Dave,

1/ For a Slave you only need to point it at a working DNS, it doesn’t need to have DNS running on it. You only need one (or prefereably two) DN servers in a net.

2/ slapcat is a command line utility to dump all or part of an LDAP database to standard out in LDIF format. ‘man slapcat’ at the CLI prompt for details but I find it useful to just do a quick dump to see if the LDAP server is nicely populated.

Tony

[Dave Hagan]

1/ For a Slave you only need to point it at a working DNS, it doesn’t need to have DNS running on it. You only need one (or prefereably two) DN servers in a net

On my open directory master (called Einstein) I have a fully functional DNS and Open Directory setup. I can log into network home directories on Einstein, etc. So I want to do now is add a new server, Newton, to do AFP for home directories.

I went into DNS on Einstein, added an entry (A) saying that newton.mydomain.com 10.10.17.19. That works, I get a forward and reverse. Cool.

I then go over to Newton, open Server Admin. It even knows it’s newton.mydomain.com. Splendid. I go into Open Directory, and change it from Standalone to Connected to a Directory Service. Open Directory Access, add a configuration…called it Einstein, typed in the OD Master’s web address, did the search base suffix thing…pointed the authentication by adding the search policy LDAPv3/mydomain.com. Click Join Kerberos…type in info…it doesn’t do anything that let’s me know it’s connected…so I assume it is…

But I still cannot get Kerberos to work on Newton. Thus when I go into workgroup manager and configure a user to use the home directory on Newton (It sees it)…It will not let me login! Works great on Einstein

So after consulting this forum and others, they said do the Replica instead. So I demoted to Standalone, restarted, and upon reboot promoted to Replica. It worked in as much as KDC was running as was LDAP. The only problem was it killed LDAP on Einstein…it said stopped. Now no clients could log in. ARGH! And on and on it goes.

Needless to say, I am frazzled by this whole thing and am pissed at Apple for making such an unclear arrangement in 10.3 Server. I could do this in 10.2 Server with NetInfo. Now with all the Kerberos, I have to make sure all this other BS is working which seems irrelevant for my needs. And the fact Apple has glossed over it in their documentation just makes me more mad.

[Dave Hagan]

Success…sort of…I think….here goes:

I reread the OD documentation and realized that I had not added the server to the computer list. That also meant delegating Kerberos would be wrong. I can now login from a client to Einstein & have my home directory on Newton. HOWEVER… both LDAP and KDC say stopped on Newton? Is this going to be okay?

I’m now working on a problem getting my Windows clients roaming profile to work with Newton, it can find the profile. I will be doing some more work there. Now what is “Enable Virtual Home directory?”

[Author]

Posts