Serious KDC problems

[dragonmac]

Ok I realy need help here.
Let’s just get to the point and if someone could send me to the page or reply as to how to rebuild the Kerberos from scratch would be great. I got 50 user so no big deal to re-enter passwords in WM after a clean build of Kerberos. Read your Kerberos Posts part 1 & 2 and they are great but only seem to get me halfway.
I’ll give you an idea on what I did to start and you can fill in the blanks.
I cleaned out files as root with finder; the /var/db/krb5kdc/*, /etc/krb5.keytab, and /Library/Preferences/edu.mit.Kerberos files.
Killed process for kadmind OK and krb5kdc which seem to just respawn.
As root terminal:
kerberosautoconfig -r MY.DOMAIN.NET -m my.domain.net -u
Works ok no error that I recall and edu.mit.Kerberos file is there next;
kdcsetup -f /LDAPv3/127.0.0.1/ -a adminname -p mypass -w MY.DOMAIN.NET
WARNING: no policy specified for [email protected]; defaulting to no policy
I get this message but files are populated in /var/db/krb5kdc/* next;
sudo sso_util configure -r MY.DOMAIN.NET -a adminname -p mypass all
Appears ok and krb5.keytab is back.
Kerberos App give me key and all that and your other notes on kinit and klist responces seem to work only in ROOT ONLY mind you.
After this I’m lost and I still have problems. Tried a number of things and still doesn’t seem right had problems getting Auth’ed and kadmin accsess (i.e. kadmin: addprinc adminname/admin had to do kadmin.local first I think, reset 501 user pass in LDAP only with second admin user in WM, Select OD Master while it is master in Server Admin and fill in blanks of pop-down, and in Directory Asst my config has been “enabled 127.0.0.1 127.0.0.1 Open Directory Server no-ssl” base sufix is “dc=domain,dc=net” Auth has custom path “/LDAPv3/127.0.0.1” added)
Now after a restart I had problem with WM giving me -14002 error trying to get into LDAP path. Seems ok now but I don’t like it. Before I go re-entering all the passwords I’d like a little help on all the command and steps to rebuild from the bottom-up.

EDIT: I see now in the kadmin: listprinc NO “[email protected]” only “root/[email protected]” is this wrong or right ??? ahhh!
stuff appears to populate after a WM change pass type to crypt:save then Open Dir:save. Can’t I just set this with some kind of addprinc username/??? in kadmin? Still not convinced it’s right
EDIT2: While your at it can you now tell me how to fix a client!!! Why I get “An Appleshare system error occurred” when I “Connect to Server” from my 10.3.4 laptop and server is set to AFP:Kerberos only. how nice

[honestpuck]

Hi,

First, the two articles are a great guide to building Kerberos from the bottom up. Just do the steps one by one – making sure to check your keytab and list of principals at every step.

Second – you should NEVER create a principal for root@ – that would allow root access via the KDC – root/admin@ is the principal that allows root to administer the KDC and it should be there.

Third – You are probably better off to ignore the Kerberos GUI utility until you are sure the system is working perfectly. Use the command line utilities. On your server do an “apropos kerberos” to get the full list of them. The same goes for cleaning out the KDC, do it in the command line making sure you clean the right places out prooperly by doinf an ‘ls -a’ so you can see any files starting with a period.

Fourth – check out ALL the doco of ALL of the commands in the second Kerberos article so you understand what each command is doing.

Fifth, make sure as much works on the server as possible before trying anything from a client and ABSOLUTELY confirm that the edu.mit.Kerberos file is the same on the client and server.

Finally, a Kerberos rebuild should not upset your user list at all, the users are stored in the LDAP server and the system replicates them into the KDC, before you try and fix your KDC make sure you have LDAP system working perfectly.

After that, if you are still having problems then I suggest you write a careful post that tells us as much information as possible, including your edu.mit.Kerberos file and the right parts of the keytab and principal list.

Tony Williams

[dragonmac]

Thanks for reply Tony.
I’m not a CLI wiz just yet so I’m still learning these util’s via CLI. If someone could post a FULL set of CLI’s to clean out the KDC would be much appreciated. Using “rm” wrong in the CLI can be a very bad thing, lol.
Is your Fifth note based on my edit of a System Error when AFP is set to login via KDC only and a X client? If so can I just delete this file from the same location on the client or is that the main edu.mit.Kerberos? Is there a second location on a client for the edu.mit.Kerberos file from the server?

As to your final remark the LDAP did not appear to replicate the Users into KDC. I used the Server Admin to Replicate now but I think this is only for Remote Open Directory servers.?. So even after a restart the KDC did not have any user entries (i.e. [email protected]) I had to go in and like I said change pass to Crypt, Save, back to Open Dir, and Save to get a proper “[email protected]” entries. If this is not right then why did they all not just get into KDC?

I would still like to get a post from you or Joel as to a straight CLI set of commands from Start to finish on rebuilding KDC from the ground up. I know my top entries are only a start so a CLI list of “rm” commands to kill the current KDC, the right setup commands like I have above and any stuff that needs to be done after my last command for OSX Server.
I’m sure someone may have done this already so just port the Web Page if you know one. It seems like this kind of a post would be useful to many new OS X Admins as well as new to KDC folks on OSX.

[honestpuck]

DragonMac,

The second Kerberos article has all the command line commands you need, already outlined. Go and read the ‘man’ pages for each and you will understand exactly what Joel is doing. The only ‘rm’ command you need to do is the one he tells you to use. The second article is as close to ‘a straight set of CLI commands’ as you are going to get.

On the no users in the database issue. If you hand crank the KDC then you won’t have any user principals in the list until after they change their password, or you do exactly as you have outlined and change the password type. If you want to get around this problem then you will have to demote the server from ‘Open Directory Master’ and then promote it back, which will also blow away your LDAP database and require you to re-import or re-enter your user list. It’s the password part of Open Directory that keeps the three user and password lists in sync.

There is only one edu.mit.Kerberos file, it should be exactly the same as the one on your server, but your clients should be grabbing it from your LDAP server if all is working fine.

If you’re having this much trouble and feel uncertain about using the CLI I suggest you get a second box for a couple of days and do the server install from scratch a couple of times and go through the steps in the Kerberos article here reading as much of the documentation as possible as you go. If you do the OS X Server install fine (making sure you are connected to a good DNS that lists your new server box properly is the key step) then getting Kerberos up is trivial – it just works. Then when you’re confident do a brand new, clean install on your server. The extra work might hurt at this end but you’ll have a lot less problems keeping the box running.

Tony

[Author]

Posts