edu.mit.kerberos file questions

[mhelman]

Hi,

I have 10.3.9 clients authenticating to AD and being managed by Computer Lists from OS X Server.

I am working at solving an occasional problem where the user can either not authenticate via AD or can but loses their automounting windows share.

I can see when this happens that the AD information is no longer generated in the edu.mit.kerberos file.

It has been suggested that making the file static fixes the problem – and it does, however, it has also been suggested that fixing the problem this way may cause other problems later.

Two questions then for those who know:

1. I’ve noticed that the auto-generated file may sometimes contains:

#autogenerated from: /Active Directory/addomain.com

or

#autogenerated from: /Active Directory/addomain.com, /LDAPv3/oddomain.com

So, if I were to remove the OD information from the line, would it stay that way and just autogenerate the file from the AD domain from then on?

2. In reading up on the edu.mit.kerberos file, mit says that "You should always have a configuration file that has a [libdefaults] section with a default_realm specified. Otherwise, getting Kerberos tickets at login time may fail."

The [libdefaults] that is autogenerated for me only contains:

ticket_lifetime = 600
dns_fallback = no

Would adding the default realm also help fix the problem. It appears so, but I don’t look after AD so I’m not sure of what problems adding this in will cause (if any).

For those interested, there is a thread on this at the MacEnterprise list.

Thanks,
Mark

[mhelman]

[QUOTE][u]Quote by: macshome[/u]

Most of the time in a magic triangle setup you will want to remove or rename the client KDC info in the OD database to prevent it from polluting the edu.mit.Kerberos files on the clients.

Apple has a KB on it here.

[/QUOTE]

OK, I’ll make the change on the Server 😉

I just don’t like removing functionality so I was looking for another way.

Hopefully this will do the trick. Thanks!

Mark

[mhelman]

The KB you suggested worked great – thanks!

Now that I am happy with the Server I have set up a Replica, however, I noticed that the KDC is not running.

This replica is 10.3.9 and was taken from Standalone directly to Replica.

Am I correct in assuming that since the Server is no longer handing out Kerberos information that the Replica would be unable to run a KDC?

If so, (and since I am only using the Server and Replica to serve preferences for the Guest Computer List) would leaving things as is be advisable?

If not, what do I need to do to get the KDC running?

Thanks,
Mark

[mhelman]

Just to be clear, the KDC is running on the OD Master, but not on the Replica.

[mhelman]

Just in case anyone reads this thread and is looking for the answer – in this setup the KDC showing as stopped is the expected behaviour on the Replica.

[Author]

Posts