[honestpuck]

Let’s look at some assumptions as to how you did things.

I assume you’ve got the edu.mit.Kerberos file back in place. I assume you have a running and checked LDAP server with a number of users in it. I assume you either put sudo in front of all your commands or did an sudo -s first to get a root shell. I assume you blew away /var/db/krb5kdc and then ran kerberosautoconfig and kdcsetup with some fairly sane parameters.

At that point (still while root) do a ‘kinit username’ and get a ticket. Then try a ‘klist’ on it’s own – which should list your ticket.

Then if all that’s a go try ‘sftp [email protected]’ and you should log on without a password. (I expect this to break if the problem your reporting is there)

Once you get that far a ‘klist -kt’ should list your host principals.

Seeing where those steps broke will give a better idea of where you’re breaking. At that point a good look at http://web.mit.edu/kerberos/www/ might suffice to solve your problem. Otherwise repost telling us where you broke and what worked and what didn’t will allow a better idea of what might fix it.

My first suggestion would be to take the Swiss Army Knife out of the toolbox and do ‘sudo kadmin.local’ then from the kadmin prompt :

listprincs (which should report a list of principals)

then

ktadd -glob *

which should add all the required keys to your keytab. This step failing would not be surprising but the error it reports would probably be informative. (A ‘man kadmin’ will tell you all about this neat little shell)

Oh, and bustthis, tbridge is reporting the wrong sort of error for not running klist with sudo as his only problem. He would have got a ‘Permission denied’ rather than ‘No such file or directory’ if that was the case.

(I’m spending way too much time hip deep in Kerberos – I’m trying to get a 10.3 client machine to authorise against my 10.3 server box, now that’s what I call fun.)

Tony

[honestpuck]

Hi John,

I’ve given up on WGM for everything except adding accounts, deleting them and changing passwords.

If you want to do anything else then may I suggest phpLDAPadmin which goes onto OS X Server like a dream and works like a charm. I had lots of the sort of problems you describe using WMG in Inspector mode while pLa just does it. So the problem may well be WGM rather than your schema, which looked fine.

Tony

[honestpuck]

Joel,

This may help with my problem, too. Where does CG Pro shove the script and what does it call it? I’m a lookin’ but nothing seems to be in /var/CommuniGate.

Tony

[honestpuck]

Actually there are NO settings in SM to limit the size of an attachment – it’s actually a setting in PHP for the largest possible file to be uploaded.

To fix it copy /etc/php.ini.default to /etc/php.ini and then change the line ‘upload_max_filesize = 2M’ to whatever size you want.

Then after an ‘apachectl restart’ at the terminal you’ll notice SM tell you it will accept an attachment of the new size.

Tony Williams

[honestpuck]

Hi,

You’re problem has nothing to do with webmail. It’s a Cyrus problem.

I suggest you go to the terminal and do a ‘sudo -s -u cyrus’ to turn yourself into the cyrus user and then go to /usr/bin/cyrus/bin and first run ./chk_cyrus which should list the current mailboxes. Then

./imtest -u user_name -a user_name imap.example.com

replacing ‘user_name’ with the name of a valid mailbox owner and imap.example.com with the name of your server. This will then either fail with a generic authorization failure or log you in. In either case enter ‘. logout’ to log out of the server.

It’s my guess that this will fail but will tell you why. The most likely problem is it will tell you that mail is not enabled for this user. This means one of two things – it can’t find the user or they don’t have mail enabled. Check to see they DO have mail enabled. If they do then check that ‘Directory Access’ on your server is pointing to the right places – i.e. your local LDAP server if you are using one, otherwise wherever you are storing user info. I suspect that Cyrus may actually require you to use something other than the local NetInfo node as that is not network accessible – I use the LDAP server on the mail server.

Then when you have that working try logging in to the account from Mail.app. If that works *then* try Webmail.

there are some good notes at http://en.tldp.org/HOWTO/Cyrus-IMAP.html and http://acs-wiki.andrew.cmu.edu/twiki/bin/view/Cyrus/WebHome

Tony Williams

[honestpuck]

After some fairly intensive log reading and trying five different modules I’ve finally got LDAP authorization working in Apache.

The answer was to use an earlier Apache module, mod_LDAPauth from Piet Ruyssinck. This one did have some problems, though. It didn’t like Apple’s group model and didn’t allow uids longer than 8 characters.

Ive spent some time modifying it so it now works great with longer names and Apple’s groups. You can get a copy from my blog at http://honestpuck.com/Computers/Macintosh/mod_LDAPauth

Tony Williams

[honestpuck]

OK, first

1/ ssh to the server any old how

2/ do a ‘kinit’ on the server to get a ticket – you’ll supply your password again.

3/ Try ssh to the server from the server.

This will take the client out of the loop.

I’d also try restoring your ssh to an absolute default, so put back that stuff you removed from the xinet file.

Tony

[honestpuck]

Did you check you had a valid ticket using the Kerberos app?

Does ssh -version report ‘OpenSSH_3.6.1’?

What OS version are you running the client on?

Tony

[honestpuck]

Charles,

That keytab looks fine, similar enough to mine anyway. You might want to force your client to use protocol v2 (with the -2 option).

Note that the user names have to match your currently active key, otherwise you need to use the -l option to the ssh client.

I’d also try a reboot on both boxes.

Tony

[honestpuck]

Well, the quick answer is read https://www.afp548.com/Articles/Panther/kerberos2.html for a quick solution.

The slower answer is that the kerberos autoconfig routine in 10.3+ doesn’t fully populate your keytab file for reasons unknown. This means that if you want ssh supported then you need to run sso_util.

sudo sso_util configure -r REALM -a admin_name -p password all

Oh, since you’ve got that far then you might also want a GUI ftp client – if so then you need to grab a copy of Fetch and MIT Kerberos Extras (from MIT). MKE also allows Kerberos single sign on to work in Eudora for those that prefer using it over Mail.app

Have you found the neat little Kerberos utility in /System/Library/Core Services yet? If you don’t install MKE (which creates an alias to this in your Applications folder) you might want to go to a shell prompt and type :

mkalias “/System/Library/Core Services/Kerberos.app” /Applications/Kerberos

(I’ll leave figuring out why you can’t create an alias for this from Finder as an exercise for the reader – this is another ‘feature’ I wish Apple would fix)

I like this tool just for the neat little ticket countdown timer in the Dock icon and that it allows me to log on to my computer using a local login and then grab a ticket using a login name from the LDAP server.

Tony

[honestpuck]

[quote:90a80d55e6=”MacTroll”]You’re probably running into password problems.

Is the module expecting to find the hashed password in the user record?

Joel[/quote:90a80d55e6]

Hard to tell. The code is fairly opaque. mod_auth_ldap has a debugging mode and appears to be writing nothing to the error log. I haven’t got logging working in auth_ldap either. It looks like both should write something to the log before getting as far as checking the password.

Tony

[honestpuck]

[quote:d8a957bad7]Version Tracker has a few apps that will generate an LDIF right out of Address Book, look there and all your questions should be answered.
[/quote:d8a957bad7]

Unfortunately none of them support tagging of multiple phone numbers or email addresses so you have no way of knowing what is a fax number, a work number and a home number. None seem to support a full address either.

A good idea, though. I’m going to keep on looking.

Tony

[Author]

Posts