I’m trying to setup a new server with 10.4 Server, but I simply can’t get Kerberos to work. I have now tried everything I can think of so now I ask here, to see if you can help.
This is a fresh install, so the first thing I do is to make sure that the DNS – which is running on the same server – is ok. I make one zone and to start with that’s all, no CNAMES, no MX etc. I then restart and check that the machines hostname is indeed what i want it to be, and check DNS and reverse DNS with dig in the terminal and lookupd through Network Utility. Everything looks ok.
Then I promote the server to an Open Directory Master and get the dialog where I create the Kerberos realm. Everything still looks ok. After that it looks like Kerberos is running – at least thats what Server Admin is telling me, but it doesn’t work. When I check the logs I can see several errors. I have changed the real hostname to myserver.domain.tld in this post:
Direcotry Services Error log:
2005-05-22 06:13:15 PDT – Attempt #1 to initialize plug-in LDAPv3 failed.
Will retry initialization at most 100 times every 1 second.
2005-05-22 06:13:15 PDT – Network transition in LDAPv3 plugin returned error -14279
kadmin.log:
May 22 16:09:30 myserver.domain.tld kadmin.local[316](info): No dictionary file specified, continuing without one.
Does this make any sense to you? LDAP is working since I can log into networked homes but Kerberos is not working since I have to enter passwords when using ssh after already being logged in. I simply can’t figure out where I’m doing something wrong.
I’m wondering if it has something to do with the fact, that it’s impossible to define the hostname doing the setup of the server. It seems like even though the server later got the right hostname through DNS it still defaults to myserver.local in Server Admin and Workgroup Manager, and not server.domain.tld.
Is the default_realm defined in /Library/Preferences/edu.mit.kerberos the good one on the server and on the clients?
What did you define in network preferences for the address of your DNS server your external IP or 127.0.0.1?
David
Regarding DNS: The server is working behind a router with NAT, so it has a local IP called 10.0.0.5 and that is what I wrote in Network in System Preferences.
I have just wiped the server agan (I have done that a LOT of times) and now it works, but it has worked sporadically before and then just stopping.
I can now log on to the server and it automatically mounts the networked home-folder. With the Kerberos.app I can see that I have got a ticket. SSH also works without a password.
This is great, but I’m not completely sure that everything is right yet. Here you can see the contents of edu.mit.kerberos:
# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : /LDAPv3/127.0.0.1
# generation_id : 1265068861
[libdefaults]
default_realm = G4SERVER.RFN.DK
[realms]
G4SERVER.RFN.DK = {
kdc = g4server.rfn.dk
admin_server = g4server.rfn.dk
}
[domain_realm]
rfn.dk = G4SERVER.RFN.DK
.rfn.dk = G4SERVER.RFN.DK
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log
The client has the same values, now that it works.
The system.log shows this after startup:
May 26 18:52:51 g4server mDNSResponder: Update _kerberos._tcp.G4SERVER.RFN.DK. refused
May 26 18:52:51 g4server mDNSResponder: Registration of record _kerberos._tcp.G4SERVER.RFN.DK. type 33 failed with error -65553
May 26 18:52:51 g4server mDNSResponder: Update _kerberos._udp.G4SERVER.RFN.DK. refused
May 26 18:52:51 g4server mDNSResponder: Registration of record _kerberos._udp.G4SERVER.RFN.DK. type 33 failed with error -65553
May 26 18:52:51 g4server mDNSResponder: ERROR: Only name server claiming responsibility for "_kerberos.g4server." is "."!
slapconfig log show this:
2005-05-26 17:54:45 +0200 – command: /usr/sbin/sso_util configure -r G4SERVER.RFN.DK -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 ldap
2005-05-26 17:54:46 +0200 – sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for ldap/[email protected]; defaulting to no policy
Creating the keytab file
kadmin: No entry for principal ldap/[email protected] exists in keytab WRFILE:/etc/krb5.keytab
Configuring services
WriteSetupFile: setup file path = /temp.h8wO/setup
Cleaning up
2005-05-26 17:54:46 +0200 – command: /sbin/kerberosautoconfig -u -v 1
2005-05-26 17:54:46 +0200 – kerberosautoconfig command output:
The machine is standalone
Removing /Library/Preferences/edu.mit.Kerberos
2005-05-26 17:54:46 +0200 – kerberosautoconfig command failed with status 255
2005-05-26 17:54:46 +0200 – command: /usr/sbin/mkpassdb -kerberize
2005-05-26 17:54:46 +0200 – mkpassdb command output:
kadmin.local: unable to get default realm
kadmin.local: unable to get default realm
2005-05-26 17:54:46 +0200 – command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
2005-05-26 17:54:48 +0200 – slapconfig -setldapconfig
2005-05-26 17:54:48 +0200 – command: /usr/sbin/mkpassdb -setreplicationinterval 86400 SyncAnytime
I have had some weird issues with Kerberos on 10.4.0 server as well. The 10.4.1 update hosed my OD setup as well. However, I never wiped the system and reinstalled. There’s nothing wrong with the actual installation, and reinstalling is just a headache that you don’t have to go through. What I have done is export the user definitions (and computer lists, etc…) in workgroup manager. Then, demote the server to standalone, and then re-promote it back to OD Master. You can then import the user definitions. You will have to manually change the password to be an OD password–you’ll have to reset the password as well.
Once I have it working, I use the nifty new backup feature in Server Admin. Then, if I hose it at some point in the future, I can just restore using the same feature. This is a very useful and timesaving new feature.
I had problems as well.
The problem was the ldap base.
It was name.local instead of name.company.com
If you are running DNS on the very machine, you need to install the server as standalone server first.
Setup DNS, set your local network setting, so that your own IP is the first DNS server.
Upgrade to Open Directory Master.
You might hate this suggestion, but unless you have a real, mission critical use for it, disable IPv6. The only way you effectively do this is to turn it off at the setup assistant immediately after a clean install, after the first restart. It’s something to do with the IPv6 name tables in 10.4… I was having a ton of problems getting a working OD Master setup until I finally turned off IPv6.
Side note: This info isn’t something I stumbled on to. It was passed to me from one of the guys I work with at my university, and he got it from an Apple engineer who was helping someone else here. Anyway… just wanted to suggest that, good luck.
I setup a Mac OS X.4 server several months ago.
It’s running all network services DHCP, DNS, OD, AD AFP, SMB…
Initially I set it up as a standalone server.
Configured DNS and DHCP verified and tested it but I had the dns server(s) under Network Config as 127.0.0.1 and firewall address so I changed it to the server’s network address.
Configured OD as “Master” and configured LDAP to point to the server by it’s DNS name.
All services show as running.
I get this error when trying to connect to the server using Kerberos authentication.
Client not found in Kerberos database
Below are the most recent log files from Server Admin
kadmin Log
Feb 06 16:36:34 localhost kadmind[63](debug): Got signal to request exit
Feb 06 16:36:34 localhost kadmind[63](info): finished, exiting
Feb 06 16:37:52 localhost kadmind[65](info): Seeding random number generator
Feb 06 16:37:52 localhost kadmind[65](info): No dictionary file specified, continuing without one.
Feb 06 16:37:52 localhost kadmind[65](info): starting
kdc Log
Feb 06 17:04:36 server.acton.k12.me.us krb5kdc[221](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.1.0.170: ISSUE: authtime 1139263476, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
Feb 06 17:04:37 server.acton.k12.me.us krb5kdc[221](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.1.0.170: UNKNOWN_SERVER: authtime 1139263476, [email protected] for afpserver/[email protected], Server not found in Kerberos database
LDAP Log
Feb 6 15:44:07 server slapd[65]: <= bdb_equality_candidates: (apple-computers) index_param failed (18)\n
Feb 6 16:11:47 server slapd[65]: SASL [conn=13630] Failure: no user in database\n
Feb 6 16:37:52 localhost slapd[67]: @(#) $OpenLDAP: slapd 2.2.19 $\n
Feb 6 16:37:53 localhost slapd[67]: bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)\n
Feb 6 16:37:53 localhost slapd[67]: bdb_db_init: Initializing BDB database\n
Feb 6 16:37:53 localhost slapd[67]: slapd starting\n
Feb 6 16:45:11 server slapd[67]: connection_input: conn=29 deferring operation: awaiting write\n
Feb 6 17:12:12 server slapd[67]: SASL [conn=90] Failure: no user in database\n
Password Service Server Log
Feb 6 2006 17:04:14 KERBEROS-LOGIN-CHECK: user {0x4303712f46fde9440000000400000004, mcorey} authentication failed.
Feb 6 2006 17:04:14 QUIT: {no user} disconnected.
Feb 6 2006 17:04:36 KERBEROS-LOGIN-CHECK: user {0x00000000000000000000000000000001, admin} is in good standing.
Feb 6 2006 17:04:36 QUIT: {no user} disconnected.
Feb 6 2006 17:04:36 KERBEROS-LOGIN-CHECK: user {0x00000000000000000000000000000001, admin} authentication succeeded.
Feb 6 2006 17:04:36 QUIT: {no user} disconnected.
Feb 6 2006 17:12:12 KERBEROS-LOGIN-CHECK: no principal ([email protected])
Feb 6 2006 17:12:12 QUIT: {no user} disconnected.
After reading through this tread I’ve noticed that there is one thing that I haven’t done but probably need to do in order to remedy this issue and that is to demote OD to Standalone -> Reboot -> promote OD to Master/Primary.
I can’t and won’t do that because we already have 300 users in the database.
I’m not going to tell everyone that their passwords have all been reset and they need to change their passwords.
Is there a way around my issues without dropping the database and then importing the database?
Comments are closed