Kerberos and Open Directory Setup

[Caislean]

I entered in to a new IT position, and I inherited an intel-based Xserve with 10.5.4 on it.

Currently the company is still using their old Xserve 10.4 on it. My job is to migrate to the new server.

Parts of the new server are configured, but whoever set it up set the system’s open directory options to Standalone mode.

I’ve spent a while reading threads at various sites, but I have not come across a set of good, clear instructions on how to setup and start Kerberos.

Under the System Admin > Open Directory…
LDAP Server is: Running
Password Server: Running
Kerberos is: Stopped

DNS is working properly.
[code]hostname[/code] gives the proper information (ie – not “.local”)
[code]host ip_address_here[/code] and [code]host server_name[/code] resolve properly.

Under Server Admin > Open Directory > Settings > General, I do not have a “Kerberize” option. There is only a “Add Kerberos Record” button. I attempted to use the “Add Kerberos Record” button, but the fields it prompts me for are very vague.

Note 1:
I’m only setting this all up, because according to the literature I read, I can’t properly setup Wiki and Blog functionality on the xserve unless I setup Open Directory and Kerberos. This is highly irritating, but oh well.

Note 2:
For our network, we want people to log on to their local machines with their own user names and passwords (everyone here is on laptops). However, we have a lot of AFPs, so we need people to have to login through the server for that.

[Caislean]

Using changeip -checkhostname the Primary address is correct, the current hostname is correct, but then it gives me…

“The DNS hostname is not available, please repair DNS and re-run this tool.”

I find this odd, because the DNS settings imported correctly, and I double checked to make sure their entries are correct (fqdns, ips, etc…). Also, if the DNS hostname is not available, shouldn’t the host command give me some sort of error? (I can look up the server forwards and backwards without any problem).

As much as I love Apple, it seems like every third post about their servers has the following solution: format and reinstall once you have a DNS problem.

I checked the console log. First off, the following line shows an incredible (the line appears every three seconds for 4 hours)…
[code]: krb5kdc: cannot initialize realm LKDC:all-that-ridiculously-long-jumble-here – see log file for details[/code]

Second, a long slew of warnings about every file on the webserver.
[code]: Invalid kMDItemPath for (file name here)[/code]

Third,
[code]host ip_address[/code]
works properly.

And
[code]host server_name[/code]
is returning.
[code]server_name has address ip_address
Host server_name not found: 3(NXDOMAIN)
[/code]

(sorry for all the edits, but I’m trying to make sure I post all the important information though).
I removed all zones from the DNS settings except for reverse lookup. DHCP is disabled. I figure the more simple I keep the initial setup, the easier it will be to figure out what the !@#$!@#$ is going on.

[Caislean]

DNS is now perfect. No excess messages. No errors….

Under Open Directory, Kerberos is shown as stopped. DNS is still in perfect working order.

====
kerberosautoconfig -r SERVER.DOMAIN.COM -m server.domain.com results in…
[code]Unable to replace config /Library/Preferences/edu.mit.Kerberos with temp file /Library/Preferences/edu.mit.Kerberos.B0(bunch of junk here) error 1.[/code]

====
And kdcesetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p (password) SERVER.DOMAIN.COM
results in…
[code]
“Segementation fault”
[/code]
===
slapconfig -kerberize -f diradmin SERVER.DOMAIN.COM results in…

[code]
diradmin’s Password:
Removed directory at path /var/db/krb5kdc.
command: /sbin/kerberosautoconfig -r SERVER.DOMAIN.COM -m server.domain.com -u -v 1
kerberosautoconfig command output:
Unable to replace config /Library/Preferences/edu.mit.Kerberos with temp file /Library/Preferences/edu.mit.Kerberos.nh6N3w6H3i0yc3bDdN1Rw error 1
command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 SERVER.DOMAIN.COM
kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
kdcsetup command failed with status 10
kdcsetup command failed with exit code 10: stdout=(null), error-message=Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
[/code]
After running slapconfig -kerberize, Kerberos is still stopped. Even after a reboot it doesn’t start.

====
“sso_util configure -r SERVER.DOMAIN.COM -a diradmin -p (password) all” results in…

[code]
Contacting the directory server
/Local/Defaul
/BSD/local
/LDAPv3/127.0.0.1
Creating the service list
Creating the server principals
kadmin: Cannot contact any KDC for request realm while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
[/code]
====

At the moment web services work (wiki & blogs). Though I can create and manage users and groups without any problem at the moment, I obviously can’t use the Directory app for locations and resources.

[td234]

Did you ever get this working? I am getting the same error when trying to Autoconfig kerberos from the command line.

Unable to replace config /Library/Preferences/edu.mit.Kerberos with temp file /Library/Preferences/edu.mit.Kerberos.bdvdR79a8fbD0ldhemn3N error 1

My Server Admin still reads Kerberos: stopped

I have tried to follow the instructions here, but run into this error.

https://www.afp548.com/Articles/Panther/kerberos2.html

I have tried trashing all the db files as suggested as well, but that does not solve this error above about the preference file.

I also have tried moving or deleting the preference file as root and it will not let me.

Lastly, if I run the kdcsetup I get “Segmentation fault”.

I really could use a little help here.

[Caislean]

It has been a while since I solved this, but if I remember correctly…

I used sudo to erase /library/preferences/edu.mit.kerberos and to erase all related temporary of /library/preferences/edu.mit.kerberos.*

The problem for me, which no one ever seemed to mention and I only discovered by chance, is that in /var/db/dslocal/nodes/Default/config/Kerberos there were multiple kerberos plist files. One for for each time the server had had a different IP address or name. For examples: OLDNAME.FORSERVER.COM.plist, ANOTHERNAME.FORSERVER.COM.plist and so. If these exist, you’ll end up with conflicts and you’ll get the “unable to replace config” error among other things.

What worked for me:

1.) I move to OpenDirectory to stand alone mode.
2.) Backed up all files that matched /var/db/dslocal/nodes/Default/config/Kerberos/*.plist
3.) Deleted all of the files that matched /var/db/dslocal/nodes/Default/config/Kerberos/*.plst
4.) Restarted the server
5.) Promoted OD to master, and viola it worked.

[td234]

THanks for the reply. I decided, after wasting most of the day, it would be faster to start over since all my data are on external drives. So, I did that and all works fine now. Sad that on a Mac this problem happens to so many and there is no simple fix. Starting over is so PC.

[rstasel]

So I’m having a similar issue to this. Kerberos seems to be rather hit or miss, so I need to kill it all on the OD master and build a new.

Has anyone had luck using these methods recently? My main goal is to fix several accounts that don’t have kerberos authauthority entries, so they can’t use kerberos.

Here’s my post elsewhere in the forum:

https://www.afp548.com/forum/viewtopic.php?showtopic=23953

[rstasel]

So I’m having a similar issue to this. Kerberos seems to be rather hit or miss, so I need to kill it all on the OD master and build a new.

Has anyone had luck using these methods recently? My main goal is to fix several accounts that don’t have kerberos authauthority entries, so they can’t use kerberos.

Here’s my post elsewhere in the forum:

https://www.afp548.com/forum/viewtopic.php?showtopic=23953

[Author]

Posts