Forum Replies Created

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • February 7, 2008 at 11:13 pm in reply to: SSO and Kerberos not working with AFP #371406
    flowctrl
    Participant

    Check the Kerberos principal in your AFP settings using the ’serveradmin’ command:

    [code]sudo serveradmin settings afp:kerberosPrincipal[/code]

    It should match the afpserver principal that is listed in your keytab file:

    [code]klist -kt | grep afpserver
    afpserver/[email protected]

    [/code]

    If not, you can set it using serveradmin:

    [code]serveradmin settings afp:kerberosPrincipal = afpserver/[email protected]
    [/code]

    It should echo the value after the ‘=’ back to you.

    January 22, 2008 at 4:52 am in reply to: How do you get the Kerberos Realm into the directory? #371194
    flowctrl
    Participant

    [QUOTE][u]Quote by: coincident[/u][p][code]
    # sudo sso_util info -r /LDAPv3/127.0.0.1/
    The Local realm name is:(null)
    [/code]
    But, without the trailing forward slash:
    [code]
    # sudo sso_util info -r /LDAPv3/127.0.0.1
    The Local realm name is:YOUR_REALM_HERE
    [/code]
    [/p][/QUOTE]

    haha! I love it when the solution is totally simple.

    Thanks.

    December 5, 2007 at 6:50 pm in reply to: How do you get the Kerberos Realm into the directory? #370730
    flowctrl
    Participant

    Yes, the clients that are bound to the directory have edu.mit.Kerberos files from the server, and the server itself has the same file in /Library/Preferences. In the files, the realm and other data is correct.

    On the server, in /Library/Logs/SingleSignOnTools.log, I have this, repeated over and over:

    [code]
    This machine is part of a kerberized directory, realm name is:
    This machine is part of a kerberized directory, realm name is:
    This machine is part of a kerberized directory, realm name is:
    [/code]

    I’m guessing that the LDAP server holds the client configuration data for the edu.mit.Kerberos files in cn=KerberosClient,cn=config…, but keeps configuration data for the server itself in a different part of the directory.

    I took a look at the results of an ‘ldapsearch “(objectclass=*)”‘, and I see an entry that looks like a good candidate, but seems to have the correct the realm name:

    # KerberosKDC, config, mydomain.ca
    dn: cn=KerberosKDC,cn=config,dc=mydomain,dc=ca
    cn: KerberosKDC
    objectClass: apple-configuration
    objectClass: top
    apple-config-realname: MYSERVER.MYDOMAIN.CA
    apple-kdc-configdata:: W2xpYmRlZmF1bHRzXQo…

    Maybe the missing data should be part of the binary apple-kdc-configdata?

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
Copyright © 2025 AFP548. All Rights Reserved.