[JP]

Tried to move both database and strore to other partition too, and ran into the same problems.
The first sign of a problem is that “master” isn;t able to create the lmtpunix listener socket because of an “Invalid argument”. The only argument that changed to lmtpunix in the cyrus.conf is the listen path. So I returned that to the original ‘listen=”/var/imap/socket/lmtp”‘.
This got rid of the “Invalid argument” error, but deliver still tried to connect to the new location, as defaults to {configdirectory}/socket/lmtp, so I added “lmtpsocket: /var/imap/socket/lmtp” to the imapd.conf.

This resolved the error messages, and the mail did get delivered.

The question remains why the new listen path wasn’t accepted. If it’s the use of uppercase, I don’t know how to work around it, as we are stuck with one in “/Volumes”.

[JP]

Joel

Yeah, that’s the theory, but it simply doesn’t work.
I point at the LDAP server as the only thing in the Authentication tab of Directory Services and can log in with a testuser network account. This testuser exists in the LDAP and AD with the same password. Fine (FYI, we are using Apple’s schema, just hosting it on a Sun).

Next, I get my edu.mit.Kerberos file to point at AD – I can get Kerberos tickets manually (with the Get tickets button in the gui or kinit).

Next, I reboot and disable the testuser account in AD. This *should* prevent login shouldn’t it?

But I can login still (since LDAP allows me in) but of course I can’t get a Kerberos ticket.

Set password to expire in AD and I can still login but I can’t get a Kerberos ticket – the GUI even tells me why – the password has expired.

This is being tested on a virgin 10.3 install – loginwindow.app is just not respecting the Kerberos rules.

All of the above happens whether I mess with /etc/authorization or not. Any ideas?

[JP]

Joel

The documentation does indeed say:
Both Kerberos & OpenDirectory Password server enforce password policies.

However, how am I supposed to enable the Kerberos option on 10.3 without editing /etc/authorization – Apple say you have to set the password type to Open Directory…. but if I do that, then I can’t use my LDAP <-> AD password synch tool which requires Crypt password in LDAP.

Unfortunately the services we need from the Suns aren’t Kerberized, so we need the AD password (Kerberos one) to be the same as the user’s password in LDAP.

Maybe I’m missing something obvious here. It seems I’m so close to what we need but none of the options give us all of the answers.

[Author]

Posts