Let's just get to the point and if someone could send me to the page or reply as to how to rebuild the Kerberos from scratch would be great. I got 50 user so no big deal to re-enter passwords in WM after a clean build of Kerberos. Read your Kerberos Posts part 1 & 2 and they are great but only seem to get me halfway.
I'll give you an idea on what I did to start and you can fill in the blanks.
I cleaned out files as root with finder; the /var/db/krb5kdc/*, /etc/krb5.keytab, and /Library/Preferences/edu.mit.Kerberos files.
Killed process for kadmind OK and krb5kdc which seem to just respawn.
As root terminal:
kerberosautoconfig -r MY.DOMAIN.NET -m my.domain.net -uWorks ok no error that I recall and edu.mit.Kerberos file is there next;
kdcsetup -f /LDAPv3/127.0.0.1/ -a adminname -p mypass -w MY.DOMAIN.NETWARNING: no policy specified for adminname@MY.DOMAIN.NET; defaulting to no policyI get this message but files are populated in /var/db/krb5kdc/* next;
sudo sso_util configure -r MY.DOMAIN.NET -a adminname -p mypass allAppears ok and krb5.keytab is back.
Kerberos App give me key and all that and your other notes on kinit and klist responces seem to work only in ROOT ONLY mind you.
After this I'm lost and I still have problems. Tried a number of things and still doesn't seem right had problems getting Auth'ed and kadmin accsess (i.e. kadmin: addprinc adminname/admin had to do kadmin.local first I think, reset 501 user pass in LDAP only with second admin user in WM, Select OD Master while it is master in Server Admin and fill in blanks of pop-down, and in Directory Asst my config has been "enabled 127.0.0.1 127.0.0.1 Open Directory Server no-ssl" base sufix is "dc=domain,dc=net" Auth has custom path "/LDAPv3/127.0.0.1" added)
Now after a restart I had problem with WM giving me -14002 error trying to get into LDAP path. Seems ok now but I don't like it. Before I go re-entering all the passwords I'd like a little help on all the command and steps to rebuild from the bottom-up.
EDIT: I see now in the kadmin: listprinc NO "root@MY.DOMAIN.NET" only "root/admin@MY.DOMAIN.NET" is this wrong or right ??? ahhh!
stuff appears to populate after a WM change pass type to crypt:save then Open Dir:save. Can't I just set this with some kind of addprinc username/??? in kadmin? Still not convinced it's right
EDIT2: While your at it can you now tell me how to fix a client!!! Why I get "An Appleshare system error occurred" when I "Connect to Server" from my 10.3.4 laptop and server is set to AFP:Kerberos only. how nice