[alternapop]

[QUOTE][u]Quote by: CostasPPC1[/u][p]Is Kerberos working on the SSO?[/p][/QUOTE]

there are two tickets showing up if i run klist -e
both of these appear in the Kerberos application too
so as far as i can tell, yes

[alternapop]

thanks all for the info! i’ll read through those apple pdf’s.
it’s a stand alone server running a local database. not bound to any other servers.

[alternapop]

bump. sorry but i haven’t resolved this and am wondering if anyone has any insight. thanks

[alternapop]

1. Do you have any evidence, beyond a green light in Server Admin, that the SSL certificate is working?

not really i guess. how can i check this?

2. It doesn’t work to bind both to AD and to OD. Bind to AD and do an anonymous bind to OD. There’s nothing sensitive in the OD part of this, as there are no passwords, or even user information, in the OD LDAP server.

makes sense, thanks!

3. – First creating an OD Master and then joining AD?

Yes

– Do you do anything to disable the KDC on the Master before joining AD?

Yes

– sudo klist -kt

Yes, returns a bunch of lines in matching pairs of 3, except a couple which i presume are related to the error i get when running “sudo dsconfigad -enableSSO” which is ‘Unable to configure service http error = 2″

– cat /Library/Preferences/edu.mit.kerberos

Yes and returns many domains including my AD domain

———–
Here is step by step what I’m doing…

1. promoted to OD Master, selecting SSL and my self assigned cert
2. on server ran:

sudo sso_util remove -k -a diradmin -p [password]

returns:
shutting down kadmind
kadmind shut down
shutting down kdc
removing KDC from the KerberosClient config record
Contacting the directory server
[b]Cannot get the realm name from the directory
failed to update directory error is 2[/b]
kdc shut down
removing kdc database files

dscl -u diradmin /LDAPv3/127.0.0.1 -delete /Config/KerberosKDC

returns:
[b]Data source (/LDAPv3/127.0.0.1) is not valid.[/b]

3. started over, changed OD back to Stand Alone

1. promoted to OD Master (ssl not checked)
2. on server ran:

sudo sso_util remove -k -a diradmin -p [password]

returns:
shutting down kadmind
kadmind shut down
shutting down kdc
removing KDC from the KerberosClient config record
Contacting the directory server
Directory updated
kdc shut down
removing kdc database files

note: ssl is check but using “custom configuration”… didn’t change anything here by hand

3.
dscl -u diradmin /LDAPv3/127.0.0.1 -delete /Config/KerberosKDC
dscl -u diradmin /LDAPv3/127.0.0.1 -delete /Config/KerberosClient

4. bound server to AD successfully

5. sudo dsconfigad -enableSSO

returns a bunch of stuff, last 4 lines are:

Unable to configure service http error = 2
Unable to configure service HTTP error = 2
Cleaning up
Settings changed successfully

6.
sudo klist -ke
Keytab name: FILE:/etc/krb5.keytab
… a bunch of lines…

7. defaults read /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal
returns sfpserver/[…]

8. grep “realm” /etc/smb.conf
realm = [… AD realm …]

9. on the client:
when adding my OD, if SSL is checked, it gives an error that it can’t find the OD
when adding my OD, if SSL is not checked, it works and lets me manage the client
if i manually check ssl after successfully adding the OD, it doesn’t pick up the managed client prefs

—–

thanks a million for your time and help!
chris

[Author]

Posts