[giskard22]

Definitely on the right track here! That setting applies only to SMB, though. There doesn’t appear to be an equivalent for AFP. However, I discovered that if you enable the “Force local homes” option for the AD DirectoryServices plug-in, the issue goes away for AFP too.

Thanks to both of you for the help!

[giskard22]

Not to my knowledge, and most would have no idea what that is. AFP & SMB only.

[giskard22]

Thanks, Joel. I actually discovered that, but it doesn’t explain the behavior. Why does the server want to re-share data that doesn’t exist on it? It’s just supposed to be an AFP/SMB server that’s using AD for authentication.

The list of shares its trying to automount is going to keep getting longer and longer. I was going to ignore it, but yesterday the automount process went crazy, trying to do the mounts over and over without a break in between. It definitely seems like it’s going to cause problems down the road.

[giskard22]

I started from scratch and it’s all working. I guess Open Directory really does need a real, working FQDN.

[giskard22]

Thanks for the reply. I guess I’m hoping for a real fix rather than a workaround. I know my setup sounds a bit odd, but is it really? Apple put an emphasis on 10.4 Server acting as a gateway for small networks, even going so far as to create a Setup Assistant for that purpose. It doesn’t seem like it should be hard to do what I’m doing. Is the problem simply that I’m trying to relate everything to a fake internal DNS zone? I know in a production environment you’d have a real one to work with, but I’m just testing here.

[giskard22]

I don’t think what you were told is accurate. It’ll all depend on the setup of your routing devices. If you’re only using a small network with a single home/office-type router, you probably have to stick with internal IPs, though you can set your server to be the DMZ (essentially, all packets addressed to the router’s external IP will be forwarded to that computer). You could also simply forward only the ports that you want accessible to the outside world; that’s the typical thing to do and its probably best for security.

You should probably only use external IP addresses on your server if you want it to be easily accessible to the outside world on a bunch of different ports, or if you’re on a sizeable network where routing changes or opening ports in a firewall require someone else’s involvement. In that case, you can get your network people to give you an externally-accessible IP address, and they’ll take care of the rest.

[giskard22]

Sorry for so much material, but I look at the slapconfig log and found lots of incriminating stuff that I don’t know how to deal with. This appears to be the sequence of what happens when I try to turn the server into an Open Directory Master.

2005-08-02 12:37:23 -0700 - slapconfig -createldapmasterandadmin
2005-08-02 12:37:23 -0700 - Creating password server slot
2005-08-02 12:37:23 -0700 - command: /usr/sbin/mkpassdb -u diradmin -p -q
2005-08-02 12:37:24 -0700 - command: /usr/sbin/mkpassdb -a -u root -p -q
2005-08-02 12:37:24 -0700 - command: /usr/sbin/NeST -startpasswordserver
2005-08-02 12:37:26 -0700 - Starting LDAP server (slapd)
2005-08-02 12:37:30 -0700 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=test,dc=bed -w ****
2005-08-02 12:37:31 -0700 - Configuring Kerberos server, realm is MAIN.TEST.BED
2005-08-02 12:37:31 -0700 - command: /sbin/kerberosautoconfig -r MAIN.TEST.BED -m tiger.ailvlabs.edu -u -v 1
2005-08-02 12:37:32 -0700 - command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 MAIN.TEST.BED
2005-08-02 12:37:34 -0700 - kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for [email protected]; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
Adding the new KDC into the KerberosClient config record
Finished
2005-08-02 12:37:34 -0700 - command: /usr/sbin/sso_util configure -r MAIN.TEST.BED -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 all
2005-08-02 12:37:37 -0700 - sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for xgrid/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for vpn/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for ipp/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for XMPP/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for host/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for smtp/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for http/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for pop/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for imap/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for ftp/@MAIN.TEST.BED; defaulting to no policy
WARNING: no policy specified for afpserver/@MAIN.TEST.BED; defaulting to no policy
Creating the keytab file
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
kadmin: Error writing to key table while adding key to keytab
Configuring services
WriteSetupFile: setup file path = /temp.OxZV/setup
Unable to configure service http error = 2
Cleaning up 
2005-08-02 12:37:37 -0700 - command: /usr/sbin/sso_util configure -r MAIN.TEST.BED -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 ldap
2005-08-02 12:37:37 -0700 - sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for ldap/@MAIN.TEST.BED; defaulting to no policy
Creating the keytab file
kadmin: No entry for principal ldap/@MAIN.TEST.BED exists in keytab WRFILE:/etc/krb5.keytab
kadmin: Error writing to key table while adding key to keytab
Configuring services
WriteSetupFile: setup file path = /temp.vfqW/setup
Cleaning up 
2005-08-02 12:37:37 -0700 - command: /sbin/kerberosautoconfig -u -v 1
2005-08-02 12:37:37 -0700 - kerberosautoconfig command output:
The machine is standalone
Removing /Library/Preferences/edu.mit.Kerberos
2005-08-02 12:37:37 -0700 - kerberosautoconfig command failed with status 255
2005-08-02 12:37:37 -0700 - command: /usr/sbin/mkpassdb -kerberize
2005-08-02 12:37:38 -0700 - mkpassdb command output:
kadmin.local: unable to get default realm
kadmin.local: unable to get default realm
2005-08-02 12:37:38 -0700 - command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
2005-08-02 12:37:39 -0700 - slapconfig -setldapconfig
2005-08-02 12:37:39 -0700 - command: /usr/sbin/mkpassdb -setreplicationinterval 86400 SyncAnytime
2005-08-02 12:37:47 -0700 - slapconfig -setmacosxodpolicy
2005-08-02 12:37:48 -0700 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2005-08-02 12:42:34 -0700 - slapconfig -setmacosxodpolicy
2005-08-02 12:42:34 -0700 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi

Here’s the part that I don’t understand:
2005-08-02 12:37:31 -0700 – command: /sbin/kerberosautoconfig -r MAIN.TEST.BED -m tiger.ailvlabs.edu -u -v 1

According to ‘man kdcsetup’, that’s the format you would use to create a standard MIT KDC. You use a different set of switches to create an “Apple KDC” for use with Open Directory. So why is the server creating the wrong kind of KDC (or is it)?

[Author]

Posts