Viewing 1 post (of 1 total)
  • Author
    Posts
  • #357251
    Anonymous
    Participant

    Hi all.

    Thanks to the articles here and a couple of pages from the O’Reilly Kerberos book, I’ve finally got things working. And shortly after getting Kerberos working, single sign on and network home directories worked too.

    Things were really in a mixed up state after the original installation that failed to get Kerberos started properly (DNS, OD and KDC all on one machine). Hopefully the hints below will help others:

    1. The two Kerberos articles are very useful. Read them and have a sense of the commands you’re going to need to execute.

    2. Things seem to struggle if the machine is multi-homed or has multiple network interfaces. I gave up trying to have the KDC act as a routable server and the server for my internal network too. I put a router/firewall on a separate box so the OD/KDC has a single IP address. Use the firewall to forward mail & other requests to the server. It might be possible to get this working but I don’t control the reverse DNS for my DSL addresses so I didn’t want to push it. I’d love to hear from anyone that has such a setup working.

    3. I recommend killing all krb5 related files before starting the steps outlined in the article. If you’ve attempted getting the server set up and failed, then Panther will automatically keep re-starting the kerberos daemons. Use:
    [code:1:fcaf0d45e9]sudo rm -rf /var/db/krb5kdc/*
    sudo rm /etc/krb5.keytab[/code:1:fcaf0d45e9]
    [i:fcaf0d45e9]Then[/i:fcaf0d45e9] kill the daemons. Panther will attempt to re-launch the daemons and they will exit after not finding config files. Doing it in the opposite order re-spawns the daemons.

    4. Double check the kerberos prefs file on the client machines. In my case, they had the IP address of the 2nd ethernet card (with the public internet address rather than the local IP address). This file is at /Library/Preferences/edu.mit.Kerberos. If it doesn’t match your KDC info, either edit it manually or edit it in the LDAP database (use the Inspector to find the KDCClient entry).

    As I mentioned above, things can get really munged if the install fails. I couldn’t erase and start over (our mail server had already moved to the new machine) so had make the changes without blowing away the existing accounts/mail spools. It’s slow but it can be done. No one step is that difficult; getting the sequence right was a real challenge. Good thing is that I only had to reboot my server once (and that was more of a test than a real necessity).

    anup

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.

Comments are closed