[Anonymous]

What you say about the use of a “startup” item may be true, but it should not be necessary.

If using “net groupmap add” returns with a statement that “the db was updated” then the mapping should have been written to the database file and be retained until changed. And you should be able to boot that server until the cows come home and have that info available.

As near as I can tell, the information should be written to the “group_mapping.tdb”, but that file is not being modified. It retains the original date and time stamp from Apple and the contents do not get added to.

What compounds the problem is that the documentation is out of date. The samba how-to included with OS X 10.3 has directions on using “groupadd” but that utility is not installed, other web references refer to “smbgroupedit”, but again not installed. And other references go with “smbldap-groupadd”. All appear to have been superceded by “net groupmap”.

I am going to attempt to use the older smbldap-groupadd tool on my test server to see if it can actually write to the database.

[Anonymous]

using the “net groupmap (add) (modify) (etc.) I have been able to “add” group mapping for ntgroups to unixgroups and the MMC on the WinXP clients can see and add those groups to the local machine.

You would think now all would be right with the world.

But…..

When we reboot or cold start the server, the group mappings are all gone. Even though when we use the “net groupmap” command and it returns with “db updated”, it’s lying through it’s teeth.

The data seems to be retained in a temp file or cache somewhere and not actually written out to the “db”. What is interesting is that you can do a “net groupmap list” or “net group” and you get a list of any ntgroups you added or mappings you made complete with SID’s.

Just don’t reboot the server!

[Anonymous]

The “spike” is on the AD domain controllers. Most of our file-servers are Samba on Linux/Solaris – AD has only really been added to support central authentication for our Windows clients.

Since 10.3 now integrates very well with AD (and it seems to be about the only way to get off-line support without creating a whole separate new user list (we have 4000 staff members and 40,000 students) of accounts on OSXS.

[Anonymous]

😮

Sorry, I posted into a new thread instead of replying here.

I’ve posted some recommendations from my attempts to get Kerberos working. The thread is in this forum and has the same subject as this message.

I’m happy to try and provide more detail if anyone needs it.

anup

[Anonymous]

I’m half-way through my problem, I have successfully been able to forward udp connections to the remote server using zebedee (very easy to compile for mac). However, I didn’t get it to do “reverse” forwarding…

Does anyone have an idea on how to do that, or use zebedee in combination with ssh?

thanks

[Anonymous]

THe reason I am using ssh tunnels is that I don’t have administrative access to my firewall, which only lets through port 80…. Can I still access ipsec through that?

thanks for any reply!

[Anonymous]

It works fine 😉

[Anonymous]

I don’t think this is necessary

typing
[code:1:4fb40daa86]kinit [email protected][/code:1:4fb40daa86]
should do the trick

[Anonymous]

You may want to consider the phpmail class http://phpmailer.sourceforge.net/ as an alternative way to php mail

[Anonymous]

Thanks for this. It’s helped me take a step forward in getting things to work (but single sign-on still isn’t working). At least the KDC runs and I can see tickets being issued locally on the server.

One note is that if you created accounts before setting up the kerberos realm, those accounts won’t have the KDC as an authentication authority. With the KDC server running, use Workgroup Manager to reset the password type (advanced tab on each user account) for each account to “Crypt”, save, and then back to “Open Directory”. This way the kerberos authentication authority is properly added to the user’s LDAP record.

New accounts get added to the KDC realm automatically and are set up correctly.

I can log into the server and see my TGT after “kinit” and “klist” but remote machines don’t seem to authenticate. Logins for a network account hang on the login window. Any suggestions?

anup

[Anonymous]

I get the beeps and the error box at the beginning.

I had to change a small item in the ipsec.sh script:

Original:
awk ‘BEGIN {while (“ifconfig -a” | getline) {
New:
awk ‘BEGIN {while (“ifconfig -L en1” | getline) {

And it works fine after that.

So beeps and error box is a nuisance but the program works.

Any idea on when we will be able to download a version that works with 10.3 cleanly?

[Anonymous]

Joel,

Assuming I can find the file with lsof, how can the file be released?

[Anonymous]

This is the error message I got.
192.168.2.1 is the IP address of network card ‘dc0’.
192.168.2.2 is the manually configured IP address of Airport Extreme card.
There isn’t any need for ‘NAT’. If phase 1 fails to establish security association then surely phase 2 will time out.

++++++++++++++++++++++++++++++
Jan 12 21:01:09 localhost racoon: ERROR: isakmp.c:2033:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.2.1->192.168.2.2
Jan 12 21:02:38 localhost racoon: ERROR: isakmp.c:1694:isakmp_ph1resend(): phase1 negotiation failed due to time up. 45da2f8ce3b8a2bf:0000000000000000
++++++++++++++++++++++++++++++

[Anonymous]

Please let me have your e-mail address, I am most happy to send you my gateway’s IP address.

My e-mail address is ” alexleeATcharterDOTnet “.

[Anonymous]

Oh and it only took me until 2 a.m. to gett ssl moved to the new server … same dns, same ip. I think apple’s server admin tools are broken for this.

I ended up copying the cert and key from the old server anr renaming them for the new site.

peet

[Author]

Posts