Home Forums OS X Server and Client Discussion Open Directory slapconfig -kerberize fails

This topic contains 18 replies, has 4 voices, and was last updated by  sramdeen 8 years, 9 months ago.

Viewing 15 posts - 1 through 15 (of 15 total)
  • Author
    Posts
  • #375835

    rstasel
    Participant

    All,

    I’m beating my head against the wall here. Anytime I try to run slapconfig -kerberize diradmin REALM.EXAMPLE.COM I get:

    Warning: You are bound to another realm, please use -f to force kerberization.

    So, I add -f, and get:

    Warning: You are bound to another realm, suggest not to kerberize this OD server.
    Removed directory at path /var/db/krb5kdc.
    command: /sbin/kerberosautoconfig -r REALM.EXAMPLE.COM -m server.example.com -u -v 1
    command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 REALM.EXAMPLE.COM
    kdcsetup command output:
    Contacting the Directory Server
    Authenticating to the Directory Server
    Creating Kerberos directory
    Creating KDC Config File
    kdcsetup command failed with status 11
    kdcsetup command failed with exit code 11: stdout=(null), error-message=Contacting the Directory Server
    Authenticating to the Directory Server
    Creating Kerberos directory
    Creating KDC Config File

    And that’s it. No further. I know there are users that don’t have kerberos entries in their accounts (mine is one of them).

    Please advise!

    #375851

    rstasel
    Participant

    nope, never.

    So, clear our /var/db/krb5kdc, /Library/Preferences/edu.mit.kerberos and /etc/krb5kdc.keytab?

    I’m not sure how to clear our the dslocal stuff. Also, one of the sites I found said to clear out the local KDC stuff, but I’m not sure how to find out what that is either.

    #375970

    rstasel
    Participant

    Okay, so I’ve gotten this to go a bit further, but I’m still stuck.

    What I had to do was:
    rm /var/db/krb5kdc, /etc/krb5kdc.keytab, /Library/Preferences/edu.mit.kerberos, /var/db/dslocal/nodes/Default/config/Kerberos:REALM

    Then, go into WGM, go into inspector, then config for /LDAPv3/127.0.0.1, and kill the KerberosKDC, and KerberosClient.

    That seems to be EVERYTHING related to kerberos.

    Then if I run slapconfig -kerberize -f diradmin REALM.NAME.COM, it runs through fine until it gets to mkpassdb -kerberize, where it seems to hang. Yet, I can run mkpassdb -kerberize myself just fine.

    Once it hangs at that step, it doesn’t do anything else. Meaning it doesn’t go through and fix the user records that don’t have kerberos authentication entries.

    After doing all of the above, with removing kerberos, I also can see the “kerberize” button in SA under Open Directory, but hitting that seems to just run slapconfig -kerberize. It hangs in the same spot.

    So, I’m stuck. Does anyone have any suggestions? MacTroll?

    btw, this is on a 10.5.6 server. changeip -checkhostname comes back clean. I’ve also tried running through this: [url]http://www.makemacwork.com/manually-restart-kerberos.htm[/url] in order, but the kdcsetup command gives me a “bus error”.

    Please advise!

    #375972

    rstasel
    Participant

    So here’s what I get from the slapconfig -kerberize.

    [code]ldap:~ root# slapconfig -kerberize -f diradmin REALM.EXAMPLE.COM
    diradmin’s Password:
    command: /sbin/kerberosautoconfig -r REALM.EXAMPLE.COM -m server.example.com -u -v 1
    command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 REALM.EXAMPLE.COM
    kdcsetup command output:
    Contacting the Directory Server
    Authenticating to the Directory Server
    Creating Kerberos directory
    Creating KDC Config File
    Creating Admin ACL File
    Creating Kerberos Master Key
    Creating Kerberos Database
    Creating Kerberos Admin user
    WARNING: no policy specified for [email protected]; defaulting to no policy
    Adding kerberos auth authority to admin user
    Creating keytab for the admin tools
    Adding KDC & kadmind to launchd
    edu.mit.kadmind: Already loaded
    com.apple.kdcmond: Already loaded
    Adding the new KDC into the KerberosClient config record
    Finished
    command: /usr/sbin/sso_util configure -r REALM.EXAMPLE.COM -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 all
    sso_util command output:
    Contacting the directory server
    Creating the service list
    Creating the service principals
    WARNING: no policy specified for fcsvr/[email protected]; defaulting to no policy
    WARNING: no policy specified for pcast/[email protected]; defaulting to no policy
    WARNING: no policy specified for vnc/[email protected]; defaulting to no policy
    WARNING: no policy specified for cifs/[email protected]; defaulting to no policy
    WARNING: no policy specified for ldap/[email protected]; defaulting to no policy
    WARNING: no policy specified for xgrid/[email protected]; defaulting to no policy
    WARNING: no policy specified for vpn/[email protected]; defaulting to no policy
    WARNING: no policy specified for ipp/[email protected]; defaulting to no policy
    WARNING: no policy specified for xmpp/[email protected]; defaulting to no policy
    WARNING: no policy specified for XMPP/[email protected]; defaulting to no policy
    WARNING: no policy specified for host/[email protected]; defaulting to no policy
    WARNING: no policy specified for smtp/[email protected]; defaulting to no policy
    WARNING: no policy specified for nfs/[email protected]; defaulting to no policy
    WARNING: no policy specified for http/[email protected]; defaulting to no policy
    WARNING: no policy specified for HTTP/[email protected]; defaulting to no policy
    WARNING: no policy specified for pop/[email protected]; defaulting to no policy
    WARNING: no policy specified for imap/[email protected]; defaulting to no policy
    WARNING: no policy specified for ftp/[email protected]; defaulting to no policy
    WARNING: no policy specified for afpserver/[email protected]; defaulting to no policy
    Creating the keytab file
    Configuring services
    WriteSetupFile: setup file path = /temp.oEqc/setup

    command: /sbin/kerberosautoconfig -u -v 1
    command: /usr/sbin/mkpassdb -kerberize[/code]

    And there it stays. Kerberos does seem to be running, and a listprincs in kadmin.local does result in meaningful output. But, I’m still where I started, with many users not having kerberos authentication authority info in their user record, just an ApplePasswordServer record.

    Please help.

    #375977

    rstasel
    Participant

    I’m not sure I understand. From what I can see, stuff looks fine in kadmin.local. And running ps aux shows a kdc process running, as well as serveradmin saying kerberos is running.

    So, not sure I know what to look for, or how to recognize, if something isn’t working… all I can really tell is mkpassdb -kerberize is stuck when it’s called from slapconfig. If I open up a new terminal, and run mkpassdb -kerberize myself, it works fine, and runs through about 13k worth of passdb entries.

    #375978

    rstasel
    Participant

    I should be more specific. There is a krb5kdc process running with the proper realm, and a kdcmond also running.

    I let mkpassdb -kerberize that was called from slapconfig run overnight, and it has still not produced any output. Wish it was just a script so I could go in there and debug it/add some verbosity.

    I almost wonder if mkpassdb starts before kerberos has a chance to start up after kdcsetup, etc.

    #375979

    rstasel
    Participant

    further info…

    After killing all the files and entries I listed before, I rebooted and noticed kdcmond was still trying to load. So I ran `launchctl unload -w /System/Library/LaunchDaemons/com.apple.kdcmond.plist`. That seemed to fix that. Figuring it might be preventing something with the mkpassdb process from running smoothly.

    Nada. Running the command again gives the same problem.

    The interesting part is that mkpassdb is running in ps aux, and top shows it using 0.2% cpu. But `fs_usage mkpassdb` shows only a couple entries after running for over 10 minutes… so if it’s doing something, it’s doing it VERY slowly.

    #375987

    rstasel
    Participant

    leaving the process running over the weekend changed nothing.

    I can’t help but think this is a bug in slapconfig, as mkpassdb -kerberize runs fine otherwise.

    #376011

    rstasel
    Participant

    Seemingly, no.

    No matter what I try, I keep getting: “Kerberos Login Failed: Client not found in Kerberos database” on the actual OD master machine. The machine is listed in computers in the OD, and has a kerberos entry.

    Users with or without the kerberos auth info get the same response.

    Thoughts?

    #376012

    rstasel
    Participant

    okay, correction.

    I manually ran mkpassdb -kerberize, and now kerberos works. I can get issued a ticket on an account that has the kerberos authentication info in their user account. A user that does not have that info gets an error :

    kinit: Unable to create principal for current user: Unknown Error Code: 118
    kinit: Error getting initial tickets: Operation not permitted

    So, still having the initial issue.

    #376013

    rstasel
    Participant

    further correction, that error was due to a home folder not mounting correctly. I changed the home folder, and now kinit for a user that’s missing kerberos info in their account works.

    Odd. I wouldn’t think this should work…

    #377443

    macmanjim
    Participant

    I’ve reconfigured my kerberos as per:http://www.netmojo.ca/2008/01/30/tiger-to-leopard-server-migration-part-four/

    When I get to the command:sso_util configure -r MYREALM.CA -a diradmin -p mypasswd all

    I get this error:

    Contacting the directory server
    /Local/Default
    /BSD/local
    /LDAPv3/127.0.0.1
    Creating the service list
    Creating the service principals
    kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
    SendInteractiveCommand: failed to get pattern
    The system log shows this:

    Nov 3 14:06:22 aeaserver ReportCrash[88903]: Formulating crash report for process kdcsetup[88894]
    Nov 3 14:06:23 aeaserver ReportCrash[88903]: Saved crashreport to /Library/Logs/CrashReporter/kdcsetup_2009-11-03-140622_aeaserver.crash using uid: 0 gid: 0, euid: 0 egid: 0

    When I looked in the /var/krb5kdc directory, the principals I created are gone. What hapened?

    #377834

    rstasel
    Participant

    I’d suggest looking at this:

    http://support.apple.com/kb/HT3655

    It actually works.

    #377835

    macmanjim
    Participant

    I had tried it and it worked initially, but then I started having issues with computers bound to OD. I ended up nuke and repaving whilst upgrading to 10.6.

    #378428

    sramdeen
    Participant

    I also had this same issue on a 10.5.8 server just now. It was hanging at the mkpassdb stage and therefore wasn’t getting onto the actual authauthority creation stage. I tried following the Apple instructions to the letter but it still didn’t work.

    What I did instead was temporarily move mkpassdb to mkpassdb.apple and symlink /usr/bin/true to /usr/sbin/mkpassdb.

    I ran all of the steps again and it completely successfully. I had a bunch of correct kerb authauthority records in my OD. I then deleted my symlink and ran mkpassdb -kerberize manually.

    As a last step I ran sso_util to configure the server for all services and tested it. Worked like a charm! Kerb on the clients is now working a treat.

    Hope this might help others in the same situation.

    Cheers

    Stu

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.

Comments are closed