[VirtualWolf]

For PPTP, just TCP 1723. For L2TP, UDP 500, 4500, and 1701.

(I may be slightly wrong here, but that’s what I have set on my AirPort Extreme and it’s working. :))

[VirtualWolf]

I’ve done more fiddling, I temporarily got things going by running the vpnaddkeyagentuser on the server, and it was working for a day, but it appears to have broken again. I can either connect but no traffic is passed through, or it just won’t connect at all. 🙁

[VirtualWolf]

So, I got home and found out we had a blackout today! So no need to restart the server. 😛

I’m thinking that perhaps that might have broken something though, because I’ve set up L2TP as well, and now both it and PPTP consistently get to the “Authenticating” stage and get no further. The VPN log on the server reports this:

[quote][code]Thu Apr 17 20:55:04 2008 : PPTP incoming call in progress from ‘119.11.4.22’…
Thu Apr 17 20:55:04 2008 : PPTP connection established.
Thu Apr 17 20:55:04 2008 : using link 0
Thu Apr 17 20:55:04 2008 : Using interface ppp0
Thu Apr 17 20:55:04 2008 : Connect: ppp0 <--> socket[34:17]
Thu Apr 17 20:55:04 2008 : sent [LCP ConfReq id=0x1 ]
Thu Apr 17 20:55:04 2008 : rcvd [LCP ConfReq id=0x1 ]
Thu Apr 17 20:55:04 2008 : lcp_reqci: returning CONFACK.
Thu Apr 17 20:55:04 2008 : sent [LCP ConfAck id=0x1 ]
Thu Apr 17 20:55:07 2008 : sent [LCP ConfReq id=0x1 ]
Thu Apr 17 20:55:07 2008 : rcvd [LCP ConfReq id=0x1 ]
Thu Apr 17 20:55:07 2008 : lcp_reqci: returning CONFACK.
Thu Apr 17 20:55:07 2008 : sent [LCP ConfAck id=0x1 ]
Thu Apr 17 20:55:07 2008 : rcvd [LCP ConfAck id=0x1 ]
Thu Apr 17 20:55:07 2008 : sent [LCP EchoReq id=0x0 magic=0x6e42c470]
Thu Apr 17 20:55:07 2008 : sent [CHAP Challenge id=0x2 <53a3cdc556c18fbcf8d52f348e808215>, name = “sprite.core”]
Thu Apr 17 20:55:07 2008 : rcvd [LCP EchoReq id=0x0 magic=0x1b95df8c]
Thu Apr 17 20:55:07 2008 : sent [LCP EchoRep id=0x0 magic=0x6e42c470]
Thu Apr 17 20:55:07 2008 : rcvd [LCP EchoRep id=0x0 magic=0x1b95df8c]
Thu Apr 17 20:55:07 2008 : rcvd [CHAP Response id=0x2 , name = “virtualwolf”]
Thu Apr 17 21:00:39 2008 : sent [CHAP Success id=0x2 “S=61726C6707EC5B0EF707D530EADA03D587EB6F52 M=Access granted”]
Thu Apr 17 21:00:39 2008 : CHAP peer authentication succeeded for virtualwolf
Thu Apr 17 21:00:42 2008 : DSAccessControl plugin: User ‘virtualwolf’ authorized for access
Thu Apr 17 21:00:42 2008 : sent [CCP ConfReq id=0x1 ]
Thu Apr 17 21:00:42 2008 : PPTP hangup
Thu Apr 17 21:00:42 2008 : Connection terminated.
Thu Apr 17 21:00:42 2008 : Connect time 5.7 minutes.
Thu Apr 17 21:00:42 2008 : Sent 0 bytes, received 0 bytes.
Thu Apr 17 21:00:42 2008 : PPTP disconnecting…
Thu Apr 17 21:00:42 2008 : PPTP disconnected[/code][/quote]

[VirtualWolf]

Sorry for the bump of an old thread…

Was there a way to easily change the Kerberos realm name? Or at least a step by step guide. I couldn’t glean much of use from the sso_util manpage either, and I don’t really want to bollocks everything up blindly flailing around trying things. 😉

[VirtualWolf]

Ah HA!

I forgot to change the ticket options in the Kerberos app (in Preferences>Default Ticket Options and Time Ranges tabs). It’s all working correctly now.

Many thanks, Daron!

[VirtualWolf]

Ok, so with a bit of fiddling around I’ve got LDAP Studio worked out, the maximum life has been changed to 7 days, that dscl command returning the proper details, but even after restarting the kdcmond daemon and making those other changes with kadmin you suggested, it’s not giving me longer than 10 hours. 🙁

[VirtualWolf]

Thanks Daron!

However, I’m a bit of a n00b at all this, so I’m unsure of how to actually go about doing what you suggest. 😉 The dscl command does return the ticket lifetime as being 10 hours. I’ve tried using that LDAP Studio app, but it doesn’t want to actually connect… it comes up with a message saying:

simple bind failed: sprite.core:389
Remote host closed connection during handshake
SSL peer shut down incorrectly

I’m pretty sure I understand the rest of it! 😉

[VirtualWolf]

Crap. I’ve changed the maximum ticket lifetime to 21 days on the server and rebooted it, but when I try to get a ticket above ten hours, I [i]still[/i] get 10:01. 🙁 It just does not want to go higher than that. Argh.

[VirtualWolf]

Hmmm. I don’t actually seem to have a kdc.conf file. Looking at the documentation, /Library/Preferences/edu.mit.Kerberos should do the same thing, yes?

And forgive me if I seem dense, but the changes I’m making should be on that edu.mit.Kerberos file on the server, and I don’t have to change them anywhere else? I don’t have any replicas. Also, I assume I need to restart Kerberos to get it to read these changes (and if so, how)?

Thanks!

[VirtualWolf]

Anyone? 🙁

[VirtualWolf]

I’m having the same problem as morgant, except only with one machine. My Power Mac G5 bound and worked without issue, the iMac G5 however refuses to work if it’s bound to the Open Directory. If I [i]don’t[/i] bind, it works fine. 😕

All machines are running 10.4.8 (clients and server), and it’s a totally fresh install of OS X Server.

[VirtualWolf]

Well, I copied the /Library/Managed Preferences/virtualwolf/com.apple.homeSync.plist from my (working but not updating) G5 to the PowerBook and put the new entries in, and it seems to work fine for syncing now (and in System Preferences>Accounts, under the mobile account it says “Admin, Mobile, Managed” again — when it stops working it loses the “Managed” bit).

I have a feeling this is going to break horribly at some point, though, and would really like to work out WTF is going on before that point.

[VirtualWolf]

Ok, shit.

My problem has returned. 👿

I noticed that my machines weren’t updating the list of folders to be excluded. I’d added a few folders since I posted this thread, and they’d been working fine, but the last three ones I added weren’t being ignored on the clients. I used MCXCacher -f to flush the cache on my PowerBook, logged out/in, and it’s gone back to completely ignoring my custom exclude list (/Library/Managed Preferences/virtualwolf/ doesn’t even contain a com.apple.homeSync.plist file anymore).

I deleted the user from the computer and re-added it, the exclude list came back, but it’s doing the make-the-user-an-admin-user-and-it-kills-the-list thing again. 🙁

This is really frustrating, because I don’t really know very much about how all this works… I haven’t found a good central resource for troubleshooting problems. Is there any way to just force a client to re-read the list of excluded folders from the server?

[VirtualWolf]

HURRAH! I finally got it solved.

Although I’m not [i]entirely[/i] sure how. 😉

I ended up deleting the user from both the client and server, and recreating it. The user ID was different, but Workgroup Manager remembered the exclude-from-sync list I’d set up. I’m guessing that deleting the user from both, and possibly the user ID changing, fixed it.

Either way, yay. 😀

[VirtualWolf]

[QUOTE][u]Quote by: macshome[/u]

When an admin user logs in they are given the choice if they want to be managed or not. If they checked the “Remember my choice” box then you need to use the option key to get back to that screen.[/quote]

Holding the option key down just comes up with the “Select Workgroup” window, doesn’t it? I didn’t think that had anything to do with the managed stuff…

[quote]
As you also found you need to have the initial login done with MCX applied to create a mobile account/PHD.
[/QUOTE]

Not quite sure what you mean there…?

[Author]

Posts