Open Directory network authentication and kerberos setup

[s_bennett]

Let me preface this entry saying that this is the first time I’ve posted here and I’m new to OS X but not systems administration, also apologies if this is redundant, but my problems seem almost too basic for what I’ve already found posted:

In a small office setup we have a mac mini running OS 10.5.3 serving open directory, ical, wiki, vpn (for only a few users) and afp is turned on but no shares are mounted. When I arrived in this position users were still logging into their local machines with local accounts and only using OD accounts for mail authentication, file services, wiki, etc. My first thought was to move towards network logons and kerberos single sign on.

I rebuilt the OD Master service creating what appears to be an out of the box implementation (I should note here that DNS and DHCP are open source implementations on another machine using the Webmin interface and work reliably). I then restored an archive or the directory to the freshly created OD Master and set up a number of replicas.

Replication looks good, Kerberos and Password server are running, I can bind client machines to the OD Master, but I cannot authenticate a network user from the logon screen. (including the directory admin) No error message, just the shakes. Nor can I join a connected server to the kerberos realm (after following apple’s documentation to do so).

A few more things I should mention: on the OD Master the directory utility shows that LDAPv3/127.0.0.1 is being searched for authentication and contacts.
No kerberos prinicpals were listed for users after restoring the archive to the blank database during the initial setup. Is there an easy way to create the principals or do I need to tear down tthe kerberos realm and rebuild it fresh? DirectoryService debugging is on so if anyone wants, I can provide log information, but I’m hoping there’s something easy that I’ve missed.

Again. sorry if this is redundant but thanks for any suggestions.

By the way, I just went to WWDC for the first time last week, really appreciate the input from the AFP548 guys.

[s_bennett]

Does anyone have any thoughts? To test this I created a new OD Master on a fresh install of 10.5.3 on an Xserve. DNS and time sync. all look good. I followed the documentation closely on creating an OD master. Here are some logs that hopefully can shed some light on this:

Perhaps I’m missing some very basic step that all OS X administrators know but take for granted??? (don’t mind the log smiley faces by the way)

This shows up in directory services log right after installation:

2008-06-26 15:37:04 PDT – T[0xB0103000] – Attempt #1 to initialize plug-in PasswordServer failed.
Will retry initialization at most 100 times every 1 second.

Initial setup directory service logs:

2008-06-26 15:10:28 PDT – T[0xA031AF60] –

2008-06-26 15:10:28 PDT – T[0xA031AF60] – DirectoryService 5.0 (v514) starting up…
2008-06-26 15:10:28 PDT – T[0xB0185000] – Initializing TCP …
2008-06-26 15:10:28 PDT – T[0xB0207000] – Plugin , Version <1.0>, processed successfully.
2008-06-26 15:10:28 PDT – T[0xB0207000] – Plugin , Version <3.0>, processed successfully.
2008-06-26 15:10:28 PDT – T[0xB0207000] – Plugin , Version <1.0>, processed successfully.
2008-06-26 15:10:29 PDT – T[0xB0207000] – Plugin , Version <3.0>, processed successfully.
2008-06-26 15:10:29 PDT – T[0xB0207000] – Plugin

, Version <3.0>, processed successfully.
2008-06-26 15:10:29 PDT – T[0xB0207000] – Plugin , Version <2.0>, processed successfully.
2008-06-26 15:10:29 PDT – T[0xB038D000] – Registered node /Configure
2008-06-26 15:10:29 PDT – T[0xB038D000] – Plug-in Configure state is now active.
2008-06-26 15:10:29 PDT – T[0xB0491000] – Plug-in LDAPv3 state is now active.
2008-06-26 15:10:29 PDT – T[0xB0595000] – Registered Locally Hosted Node /BSD/local
2008-06-26 15:10:29 PDT – T[0xB0595000] – Registered node /BSD/local
2008-06-26 15:10:29 PDT – T[0xB0595000] – Plug-in BSD state is now active.
2008-06-26 15:10:29 PDT – T[0xB040F000] – Registered Locally Hosted Node /Local/Default
2008-06-26 15:10:29 PDT – T[0xB040F000] – Registered node /Local/Default
2008-06-26 15:10:29 PDT – T[0xB040F000] – Plug-in Local state is now active.
2008-06-26 15:10:29 PDT – T[0xB0513000] – Registered node /Search
2008-06-26 15:10:29 PDT – T[0xB0513000] – Registered node /Search/Contacts
2008-06-26 15:10:29 PDT – T[0xB0513000] – Registered node /Search/Network
2008-06-26 15:10:29 PDT – T[0xB0513000] – Plug-in Search state is now active.
2008-06-26 15:10:31 PDT – T[0xB030B000] – Registered node /Cache
2008-06-26 15:10:31 PDT – T[0xB030B000] – Plug-in Cache state is now active.
2008-06-26 15:10:31 PDT – T[0xB0207000] – Plugin “Active Directory”, Version “1.6”, is set to load lazily.
2008-06-26 15:10:31 PDT – T[0xB0207000] – Plugin “PasswordServer”, Version “4.0”, is set to load lazily.
2008-06-26 15:10:41 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:10:43 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:10:44 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:10:45 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:52 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:52 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:54 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:55 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:55 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:37:05 PDT – T[0xB0103000] – Plugin “PasswordServer”, Version “4.0”, loaded on demand successfully.
2008-06-26 15:37:05 PDT – T[0xB0103000] – Plug-in PasswordServer state is now active.
2008-06-26 16:08:16 PDT – T[0xA031AF60] – Shutting down DirectoryService…
2008-06-26 16:10:13 PDT – T[0xA083BFA0] –

Directory Service Debug Logs:

2008-06-30 11:57:37 PDT – T[0xB0289000] – PasswordServer PlugIn: SASL authentication error 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – CPSPlugIn::DoAuthentication returning 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsDoDirNodeAuth(), PasswordServer Used : DAR : Node Ref = 16903579 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsDoDirNodeAuth(), LDAPv3 Used : DAR : Node Ref = 16903577 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirNode(), PasswordServer Used : DAC : Node Ref = 16903579
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirNode(), PasswordServer Used : DAR : Node Ref = 16903579 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirService(), Server Used : DAC : Dir Ref 16903578
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirService(), Server Used : DAR : Dir Ref 16903578 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAC : Node Ref = 16903577
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAR : Node Ref = 16903577 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – CDSLocalPlugin::DoAuthentication(): got error of 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Client: Workgroup Manage, PID: 24662, API: dsDoDirNodeAuth(), Local Used : DAR : Node Ref = 16903569 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0103000] – Client: Workgroup Manage, PID: 24662, API: dsFindDirNodes(), Server Used : DAC : Dir Ref 16903553 : Data buffer size = 2048
2008-06-30 11:57:37 PDT – T[0xB0103000] – Client: Workgroup Manage, PID: 24662, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16903553 : Requested nodename = /Search
2008-06-30 11:57:37 PDT – T[0xB0103000] – Client: Workgroup Manage, PID: 24662, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16903553 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Client: Requesting dsOpenDirNode with PID = 24662, UID = 501, and EUID = 501
s

[s_bennett]

Hi, thanks for the response. mkpassdb got the missing kerberos principals back so thanks for that.

I still can’t seem to figure out why a network user cannot authenticate. I have a client machine bound to the open directory master, it can see the ldap domain for authentication and contacts yet the only account that will authenticate is the directory administrator. The login window will show the network user, I can even get it to prompt a network user to change a password, but when it comes time to actually enter the password and authenticate the screen just shakes. This happens for every user – new ones that I’ve just created as well as old ones that were imported after the leopard install – again, except for the directory admin account.

I opened a ticket with apple support who told me that sometimes the OD installation “hiccups” when looking at the DNS names (whatever that means). So I executed the “changeip LDAPv3/127.0.0.1/ old ip new ip oldname newname” to make sure all the names were correct. Time sync. is good, I’ve added the client machine to a computer group in workgroup manager as well. As far as Open Directory goes, the ability for a user to login from a client machine should be (and typically is) taken for granted. Are there some common problems that I’m not thinking of that could prevent this? (service conflicts on the server or some hardware issue?) Network wise there’s no NAT going on and both the machines are on the same subnet. By the way, should workgroup manager auto-populate the computer list? It does recognize other servers connected to the same switch but nothing else on the subnet….

[Author]

Posts