Home Forums OS X Server and Client Discussion Open Directory OD and Kerberos on 10.4 Server – won’t work

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #361744
    rfn
    Participant

    Hi!

    I’m trying to setup a new server with 10.4 Server, but I simply can’t get Kerberos to work. I have now tried everything I can think of so now I ask here, to see if you can help.

    This is a fresh install, so the first thing I do is to make sure that the DNS – which is running on the same server – is ok. I make one zone and to start with that’s all, no CNAMES, no MX etc. I then restart and check that the machines hostname is indeed what i want it to be, and check DNS and reverse DNS with dig in the terminal and lookupd through Network Utility. Everything looks ok.

    Then I promote the server to an Open Directory Master and get the dialog where I create the Kerberos realm. Everything still looks ok. After that it looks like Kerberos is running – at least thats what Server Admin is telling me, but it doesn’t work. When I check the logs I can see several errors. I have changed the real hostname to myserver.domain.tld in this post:

    Direcotry Services Error log:
    2005-05-22 06:13:15 PDT – Attempt #1 to initialize plug-in LDAPv3 failed.
      Will retry initialization at most 100 times every 1 second.
    2005-05-22 06:13:15 PDT – Network transition in LDAPv3 plugin returned error -14279

    kadmin.log:
    May 22 16:09:30 myserver.domain.tld kadmin.local[316](info): No dictionary file specified, continuing without one.

    LDAP Log:
    May 22 16:09:16 myserver slapd[276]: @(#) $OpenLDAP: slapd 2.2.19 $

    May 22 16:09:16 myserver slapd[276]: bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)

    May 22 16:09:16 myserver slapd[276]: bdb_db_init: Initializing BDB database

    May 22 16:09:17 myserver slapd[276]: slapd starting

    May 22 16:09:41 myserver slapd[276]: <= bdb_substring_candidates: (apple-mcxflags) index_param failed (18) slapconfig Log:
    2005-05-22 16:09:28 +0200 – kerberosautoconfig command failed with status 255
    2005-05-22 16:09:28 +0200 – command: /usr/sbin/mkpassdb -kerberize
    2005-05-22 16:09:28 +0200 – mkpassdb command output:
    kadmin.local: unable to get default realm
    kadmin.local: unable to get default realm
    2005-05-22 16:09:28 +0200 – command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
    2005-05-22 16:09:30 +0200 – slapconfig -setldapconfig
    2005-05-22 16:09:30 +0200 – command: /usr/sbin/mkpassdb -setreplicationinterval 86400 SyncAnytime

    Does this make any sense to you? LDAP is working since I can log into networked homes but Kerberos is not working since I have to enter passwords when using ssh after already being logged in. I simply can’t figure out where I’m doing something wrong.

    I’m wondering if it has something to do with the fact, that it’s impossible to define the hostname doing the setup of the server. It seems like even though the server later got the right hostname through DNS it still defaults to myserver.local in Server Admin and Workgroup Manager, and not server.domain.tld.

    #361768
    Anonymous
    Guest

    Is the default_realm defined in /Library/Preferences/edu.mit.kerberos the good one on the server and on the clients?
    What did you define in network preferences for the address of your DNS server your external IP or 127.0.0.1?
    David

    #361799
    rfn
    Participant

    Regarding DNS: The server is working behind a router with NAT, so it has a local IP called 10.0.0.5 and that is what I wrote in Network in System Preferences.

    I have just wiped the server agan (I have done that a LOT of times) and now it works, but it has worked sporadically before and then just stopping.

    I can now log on to the server and it automatically mounts the networked home-folder. With the Kerberos.app I can see that I have got a ticket. SSH also works without a password.

    This is great, but I’m not completely sure that everything is right yet. Here you can see the contents of edu.mit.kerberos:

    # WARNING This file is automatically created, if you wish to make changes
    # delete the next two lines
    # autogenerated from : /LDAPv3/127.0.0.1
    # generation_id : 1265068861
    [libdefaults]
    default_realm = G4SERVER.RFN.DK
    [realms]
    G4SERVER.RFN.DK = {
    kdc = g4server.rfn.dk
    admin_server = g4server.rfn.dk
    }
    [domain_realm]
    rfn.dk = G4SERVER.RFN.DK
    .rfn.dk = G4SERVER.RFN.DK
    [logging]
    admin_server = FILE:/var/log/krb5kdc/kadmin.log
    kdc = FILE:/var/log/krb5kdc/kdc.log

    The client has the same values, now that it works.

    The system.log shows this after startup:

    May 26 18:52:51 g4server mDNSResponder: Update _kerberos._tcp.G4SERVER.RFN.DK. refused
    May 26 18:52:51 g4server mDNSResponder: Registration of record _kerberos._tcp.G4SERVER.RFN.DK. type 33 failed with error -65553
    May 26 18:52:51 g4server mDNSResponder: Update _kerberos._udp.G4SERVER.RFN.DK. refused
    May 26 18:52:51 g4server mDNSResponder: Registration of record _kerberos._udp.G4SERVER.RFN.DK. type 33 failed with error -65553
    May 26 18:52:51 g4server mDNSResponder: ERROR: Only name server claiming responsibility for "_kerberos.g4server." is "."!

    slapconfig log show this:

    2005-05-26 17:54:45 +0200 – command: /usr/sbin/sso_util configure -r G4SERVER.RFN.DK -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 ldap
    2005-05-26 17:54:46 +0200 – sso_util command output:
    Contacting the directory server
    Creating the service list
    Creating the service principals
    WARNING: no policy specified for ldap/[email protected]; defaulting to no policy
    Creating the keytab file
    kadmin: No entry for principal ldap/[email protected] exists in keytab WRFILE:/etc/krb5.keytab
    Configuring services
    WriteSetupFile: setup file path = /temp.h8wO/setup
    Cleaning up
    2005-05-26 17:54:46 +0200 – command: /sbin/kerberosautoconfig -u -v 1
    2005-05-26 17:54:46 +0200 – kerberosautoconfig command output:
    The machine is standalone
    Removing /Library/Preferences/edu.mit.Kerberos
    2005-05-26 17:54:46 +0200 – kerberosautoconfig command failed with status 255
    2005-05-26 17:54:46 +0200 – command: /usr/sbin/mkpassdb -kerberize
    2005-05-26 17:54:46 +0200 – mkpassdb command output:
    kadmin.local: unable to get default realm
    kadmin.local: unable to get default realm
    2005-05-26 17:54:46 +0200 – command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
    2005-05-26 17:54:48 +0200 – slapconfig -setldapconfig
    2005-05-26 17:54:48 +0200 – command: /usr/sbin/mkpassdb -setreplicationinterval 86400 SyncAnytime

    #361816
    Detrius
    Participant

    I have had some weird issues with Kerberos on 10.4.0 server as well. The 10.4.1 update hosed my OD setup as well. However, I never wiped the system and reinstalled. There’s nothing wrong with the actual installation, and reinstalling is just a headache that you don’t have to go through. What I have done is export the user definitions (and computer lists, etc…) in workgroup manager. Then, demote the server to standalone, and then re-promote it back to OD Master. You can then import the user definitions. You will have to manually change the password to be an OD password–you’ll have to reset the password as well.

    Once I have it working, I use the nifty new backup feature in Server Admin. Then, if I hose it at some point in the future, I can just restore using the same feature. This is a very useful and timesaving new feature.

    #361945
    Anonymous
    Guest

    I had problems as well.
    The problem was the ldap base.
    It was name.local instead of name.company.com
    If you are running DNS on the very machine, you need to install the server as standalone server first.
    Setup DNS, set your local network setting, so that your own IP is the first DNS server.
    Upgrade to Open Directory Master.

    And voila Kerberos was starting up.

    hopefully this helps,
    Markus

    #362247
    tkn0spdr
    Participant

    I’m getting lots of errors in my log file like so-

    Jul 05 18:00:15 strflt.technospider.com krb5kdc[181](info): DISPATCH: repeated (retransmitted?) request from 192.168.27.253, resending previous response
    Jul 05 18:00:15 strflt.technospider.com krb5kdc[181](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.27.253: ISSUE: authtime 1120600815, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    Jul 05 18:00:15 strflt.technospider.com krb5kdc[181](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.27.253: UNKNOWN_SERVER: authtime 1120569784,  [email protected] for ldap/[email protected], Server not found in Kerberos database
    Jul 05 21:25:28 strflt.technospider.com krb5kdc[181](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.27.253: ISSUE: authtime 1120613128, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    Jul 05 21:25:28 strflt.technospider.com krb5kdc[181](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.27.253: UNKNOWN_SERVER: authtime 1120613128,  [email protected] for ldap/[email protected], Server not found in Kerberos database
    Jul 05 21:30:08 strflt.technospider.com krb5kdc[181](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.27.253: CLIENT_NOT_FOUND: [email protected] for krbtgt/[email protected], Client not found in Kerberos database
    Jul 05 21:31:00 strflt.technospider.com krb5kdc[181](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.27.253: CLIENT_NOT_FOUND: [email protected] for kadmin/[email protected], Client not found in Kerberos database
    Jul 06 16:19:17 strflt.technospider.com krb5kdc[181](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.27.253: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
    Jul 06 16:19:17 strflt.technospider.com krb5kdc[181](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.27.253: ISSUE: authtime 1120681157, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    
    

    My edu.mit.Kerberos file seems fine –

    # WARNING This file is automatically created, if you wish to make changes
    # delete the next two lines
    # autogenerated from : /LDAPv3/127.0.0.1
    # generation_id : 664361347
    [libdefaults]
            default_realm = STRFLT.TECHNOSPIDER.COM
    [realms]
            STRFLT.TECHNOSPIDER.COM = {
                    kdc = strflt.technospider.com
                    admin_server = strflt.technospider.com
            }
    [domain_realm]
            .technospider.com = STRFLT.TECHNOSPIDER.COM
            technospider.com = STRFLT.TECHNOSPIDER.COM
    [logging]
            admin_server = FILE:/var/log/krb5kdc/kadmin.log
            kdc = FILE:/var/log/krb5kdc/kdc.log
    
    
    

    My kadmin.log shows me this over and over again –

    Jul 04 15:46:41 strflt.technospider.com kadmin.local[1184](info): No dictionary file specified, continuing without one.
    
    
    

    What the hell do I do? This is a fresh install of 10.4.1 Server and since I don’t really know what I’m doing I haven’t futzed with anything.

    I’m also getting lots of this in slapd.log –

    Jul  4 15:44:59 strflt slapd[67]: entry failed schema check: object class 'posixAccount' requires attribute 'homeDirectory'
    
    Jul  4 16:02:41 strflt slapd[67]: <= bdb_equality_candidates: (apple-computers) index_param failed (18)
    
    #362396
    InfraredAD
    Participant

    You might hate this suggestion, but unless you have a real, mission critical use for it, disable IPv6. The only way you effectively do this is to turn it off at the setup assistant immediately after a clean install, after the first restart. It’s something to do with the IPv6 name tables in 10.4… I was having a ton of problems getting a working OD Master setup until I finally turned off IPv6.

    Side note: This info isn’t something I stumbled on to. It was passed to me from one of the guys I work with at my university, and he got it from an Apple engineer who was helping someone else here. Anyway… just wanted to suggest that, good luck.

    #365188
    mlcdigital
    Participant

    I setup a Mac OS X.4 server several months ago.
    It’s running all network services DHCP, DNS, OD, AD AFP, SMB…
    Initially I set it up as a standalone server.
    Configured DNS and DHCP verified and tested it but I had the dns server(s) under Network Config as 127.0.0.1 and firewall address so I changed it to the server’s network address.
    Configured OD as “Master” and configured LDAP to point to the server by it’s DNS name.
    All services show as running.

    I get this error when trying to connect to the server using Kerberos authentication.

    Client not found in Kerberos database
    
    

    Below are the most recent log files from Server Admin

    kadmin Log
    Feb 06 16:36:34 localhost kadmind[63](debug): Got signal to request exit
    Feb 06 16:36:34 localhost kadmind[63](info): finished, exiting
    Feb 06 16:37:52 localhost kadmind[65](info): Seeding random number generator
    Feb 06 16:37:52 localhost kadmind[65](info): No dictionary file specified, continuing without one.
    Feb 06 16:37:52 localhost kadmind[65](info): starting
    
    kdc Log
    Feb 06 17:04:36 server.acton.k12.me.us krb5kdc[221](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.1.0.170: ISSUE: authtime 1139263476, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
    Feb 06 17:04:37 server.acton.k12.me.us krb5kdc[221](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.1.0.170: UNKNOWN_SERVER: authtime 1139263476,  [email protected] for afpserver/[email protected], Server not found in Kerberos database
    
    LDAP Log
    Feb  6 15:44:07 server slapd[65]: <= bdb_equality_candidates: (apple-computers) index_param failed (18)\n
    Feb  6 16:11:47 server slapd[65]: SASL [conn=13630] Failure: no user in database\n
    Feb  6 16:37:52 localhost slapd[67]: @(#) $OpenLDAP: slapd 2.2.19 $\n
    Feb  6 16:37:53 localhost slapd[67]: bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)\n
    Feb  6 16:37:53 localhost slapd[67]: bdb_db_init: Initializing BDB database\n
    Feb  6 16:37:53 localhost slapd[67]: slapd starting\n
    Feb  6 16:45:11 server slapd[67]: connection_input: conn=29 deferring operation: awaiting write\n
    Feb  6 17:12:12 server slapd[67]: SASL [conn=90] Failure: no user in database\n
    
    Password Service Server Log
    Feb  6 2006 17:04:14	KERBEROS-LOGIN-CHECK: user {0x4303712f46fde9440000000400000004, mcorey} authentication failed.
    Feb  6 2006 17:04:14	QUIT: {no user} disconnected.
    Feb  6 2006 17:04:36	KERBEROS-LOGIN-CHECK: user {0x00000000000000000000000000000001, admin} is in good standing.
    Feb  6 2006 17:04:36	QUIT: {no user} disconnected.
    Feb  6 2006 17:04:36	KERBEROS-LOGIN-CHECK: user {0x00000000000000000000000000000001, admin} authentication succeeded.
    Feb  6 2006 17:04:36	QUIT: {no user} disconnected.
    Feb  6 2006 17:12:12	KERBEROS-LOGIN-CHECK: no principal ([email protected])
    Feb  6 2006 17:12:12	QUIT: {no user} disconnected.
    
    

    After reading through this tread I’ve noticed that there is one thing that I haven’t done but probably need to do in order to remedy this issue and that is to demote OD to Standalone -> Reboot -> promote OD to Master/Primary.
    I can’t and won’t do that because we already have 300 users in the database.
    I’m not going to tell everyone that their passwords have all been reset and they need to change their passwords.
    Is there a way around my issues without dropping the database and then importing the database?

    #365677
    TvE
    Participant

    RFN: Dis you manage to get it working as expected???

    I am observering the exact same symptons you did (as you can see in this thread

    We’ve got to get those danish OD Master to work ;_)

Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.

Comments are closed