Home Forums OS X Server and Client Discussion Open Directory Trouble with Replicas – no keytab file in /etc

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • March 5, 2007 at 9:18 am #368464
    hjenkins
    Participant

    I’m really struggling with this one now.

    I have my OD master in London with Kerberos working fine and nice clean log file relatively free of errors. I have 2 Replicas, one is a mail server on the local LAN the other is a file server based in our New York office. Our offices are connected via a Sonicwall VPN tunnel so we have two subnets:

    192.168.1.1/24
    192.1668.166.1/24

    The replication to our mail server is all working ok. I just can’t seem to get the replication to New York working. This was once all working ok until I upgraded our OD master to an Intel Xserve, and our various Asnate Network switches were replaced with a new HP Procurve switch.

    Initially I’ve been struggling getting the replication to work all. As I watch the replication process the bar moves to the end appears to finish and skips enabling password service and kerberos services. The OD settings then revert back to standalone. However, after a few attempts I get the replication process to finish with enabling password service and kerberos services. However, I am unable to get a Kerberos tickets and the /etc/krb5.keytab file is not present.
    If I run kadmin.local and then ktadd -global *, it will create the keytab file but I still can’t get a ticket.

    The OD master setting read:
    ERROR: (See /var/run/openldap-slurp/replica/192..168.166.5:389.rej)
    which contains lots of erros like this one:

    ERROR: Type or value exists: modify/add: loginShell: value #0 already exists
    replica: 192.168.166.5:389
    time: 1172592490.3

    The slapconfig log on the replica looks like this:

    007-03-01 06:54:07 -0500 – 10 Enabling local Kerberos server
    2007-03-01 06:54:07 -0500 – command: /usr/sbin/kdcsetup -c /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 SERVER.DOMAIN.COM
    2007-03-01 06:54:09 -0500 – kdcsetup command output:
    Contacting the Directory Server
    Authenticating to the Directory Server
    Creating Kerberos directory
    Creating KDC Config File
    {type = immutable, count = 1, values = (
    0 : {type = mutable, count = 0, capacity = 4, pairs = (
    )}
    )}
    Adding KDC to launchd
    Adding the new KDC into the KerberosClient config record
    Finished
    2007-03-01 06:54:09 -0500 – command: /usr/sbin/sso_util configure -r SERVER.DOMAIN.COM -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 all
    2007-03-01 06:54:10 -0500 – sso_util command output:
    Contacting the directory server
    Creating the service list
    Creating the service principals
    kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
    2007-03-01 06:54:10 -0500 – sso_util command failed with status 2
    2007-03-01 06:54:10 -0500 – command: /usr/sbin/sso_util configure -r SERVER.DOMAIN.COM -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 ldap
    2007-03-01 06:54:10 -0500 – sso_util command output:
    Contacting the directory server
    Creating the service list
    Creating the service principals
    kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
    2007-03-01 06:54:10 -0500 – sso_util command failed with status 2
    2007-03-01 06:54:10 -0500 – command: /sbin/kerberosautoconfig -u -v 1
    2007-03-01 06:54:10 -0500 – command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1

    The LDAP Error log on the replica looks like this:

    Mar 1 2007 06:24:12 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = /var/db/krb5kdc/KerbDumpFilerdFnP, status = 1
    Mar 1 2007 06:24:19 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = /var/db/krb5kdc/KerbDumpFileWlxJN, status = 1
    Mar 1 2007 06:24:19 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = -, status = 1
    Mar 1 2007 06:24:19 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = -, status = 1
    Mar 1 2007 06:24:19 LauchTaskWithIO path = /usr/sbin/kdb5_util, arg1 = dump, arg2 = -, status = 1

    Also should I be able to see an open port when port scaning the server on ports 88 and 749?

    Any help would be really appreciated as I’m running out of ideas!!!

    March 5, 2007 at 12:26 pm #368465
    hjenkins
    Participant

    Latest devlopments:
    Notist that my kdc log files onk the replica in New York reads the following lines:

    Mar 02 08:57:08 server2.domian.com krb5kdc[26010](info): setting up network…
    krb5kdc: Address already in use – Cannot bind server socket to port 88 address fe80::20a:95ff:fe78:360e%en0
    Mar 02 08:57:08 server2.domian.com krb5kdc[26010](info): set up 0 sockets
    krb5kdc: no sockets set up?

    I am unable to telnet or portscan to this port from the master or replica, even when using 127.0.0.1 from the master. Is this normal?

    Could it perhaps be related to the Intrusion Prevention Servies (IPS) set on my router? I’ve turned this offf and I still can’t access port 88? Would I need to activate it somehow after turning off my IPS and then trying?

    March 5, 2007 at 12:49 pm #368466
    hjenkins
    Participant

    Feel like I’m getting closer:
    I noticed the following on kdc logs on the master:

    UNKNOWN_SERVER: authtime 1173084183, [email protected] for host/[email protected], Server not found in Kerberos database
    Mar 05 10:35:32 server.domain.com krb5kdc[363](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.31: UNKNOWN_SERVER: authtime 1173084183, [email protected] for host/[email protected], Server not found in Kerberos databaseSERVER.DOMAIN.COM

    If I do a klist -k on the master I get:

    Welcome to Darwin!
    server:~ root# klist -k
    Keytab name: FILE:/etc/krb5.keytab
    KVNO Principal
    —- ————————————————————————–
    3 xgrid/[email protected]
    3 xgrid/[email protected]
    3 xgrid/[email protected]
    3 vpn/[email protected]
    3 vpn/[email protected]
    3 vpn/[email protected]
    3 ipp/[email protected]
    3 ipp/[email protected]
    3 ipp/[email protected]
    3 XMPP/[email protected]
    3 XMPP/[email protected]
    3 XMPP/[email protected]
    3 host/[email protected]
    3 host/[email protected]
    3 host/[email protected]
    3 smtp/[email protected]
    3 smtp/[email protected]
    3 smtp/[email protected]
    3 http/[email protected]
    3 http/[email protected]
    3 http/[email protected]
    3 HTTP/[email protected]
    3 HTTP/[email protected]
    3 HTTP/[email protected]
    3 pop/[email protected]
    3 pop/[email protected]
    3 pop/[email protected]
    3 imap/[email protected]
    3 imap/[email protected]
    3 imap/[email protected]
    3 ftp/[email protected]
    3 ftp/[email protected]
    3 ftp/[email protected]
    3 afpserver/[email protected]
    3 afpserver/[email protected]
    3 afpserver/[email protected]
    3 ldap/[email protected]
    3 ldap/[email protected]
    3 ldap/[email protected]

    Should I see server2/[email protected] where server2.domain.com is my replica server?

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.