Thanks again. Just some follow up info and a question. The KB article fails to mention that you also need to to edit com.apple.AppleFileServer.plist to include the correct kerberosPrincipal. Once you edit your .plist with the right Principal, your in business for AFP.
The issue that I have now is that AFP is kerberized correctly, but SMB fails any kerberized connection. I’ve checked the smb.conf’s but there’s no mention of which principal it’s using.
The advice is much appreciated. A quick follow up question … I had our AD guys create a two-way transitive shortcut trust between the missoula.campus (student accounts) and gs.umt.edu (computer accounts). This seems to take care of both our authentication issues as well as the flakey group resolution. Do you see any drawbacks to this end-run-type shortcut solution?
FYI … since I wasn’t sure which problem you were trying to address, I tried binding to umt.edu and changing dns_fallback = yes. The cross domain authentication still fails. I cannot auth a user from missoula.campus. If I sudo -s to root and su to [email protected] (or any varation of a ligit user), I just get a
Thank so much for the quick response … Quick question which issue is the “dns_fallback = yes” supposed to fix. The cross-domain authentication or the group resolution?
I gave ‘er a whirl and I still have the same issue. I can successfully check out tickets from all the KDC that I have access to accounts … UMONTANA.EDU, UMT.EDU, MISSOULA.CAMPUS and GS.UMT.EDU.
I’m not 100% sure that the group resolution is a Kerberos issue. This is a shot in the dark, but is it at all possible that this has something to do with the trust setup?
Everything between the umt.edu (parent) and gs.umt.edu (child) seems to work every time. These two have a direct full Transitive trust between them since they’re parent-child. However, the trust relationship between missoula.campus and umt.edu is transitive, but only because it passes through the forest root umontana.edu.
You can do this with augment records in 10.5. It’s not as easy as I’d like so I’m cheating and using MacAdministrator (yes they are still in business … and actually it’s gotten much cleaner in 4.x). Anyway you need to not check the get home directory location from UNC path when on the clients. In the 10.5 OD you need to edit the raw LDAP … Config -> augmentconfiguration -> XMLPlist … to include the records you want to augment … which are NFSHomeDirectory and HomeDirectory.
Then create Augment records for all the users that you need to do this for and edit the augment records with dscl to have the correct HomeDirectory and NFSHomeDirectory attributes.
It’s this last part that I get discouraged. If you happen to write a script to populate these records, please do share.
[QUOTE][u]Quote by: morgant[/u]I still could probably move the mail store and database to a separate volume and gain a little more performance (both during regular usage and during backup, but then I’d be rolling my own rsync backup script entirely).[/QUOTE]
mailbfr seems to read the cyrus config files to find the mail store. I’ve never had an issue running mailbfr on servers with the mailstore on a seperate volume. In fact, I’d be a bit more than a bit frightened to run my mail store/db on the boot volume. I’ve had to roll back to previous OS releases a few to many times to ever trust keeping ANY data on a server boot volume. Just my 2 cents.
I was so wrong. That didn’t fix it. Anyone able to explain why launchd keeps spawning instances of this daemon even though I’ve got it set to RunAtLoad?
A little follow up info that I didn’t have originally … if I just pass L2TP and IPsec to my server (Bypassing the 700) the VPN works, so I know that atleast the networks have no problems establishing the connection.
Silly me I found the log for Internet Connect, sadly it’s not very helpful (even in ‘verbose’ mode) this is what she says …
Wed Jan 11 15:22:01 2006 : L2TP connecting to server ‘xxx.xxx.xxx’…
Wed Jan 11 15:22:01 2006 : L2TP sent SCCRQ
Wed Jan 11 15:23:01 2006 : L2TP cannot connect to the server
The Cyrus mailbox does exist. I can see it in my mailstore and I’ve manually moved messages into the inbox via Apple’s Mail. Maybe an smtp pipe from postfix also has to occur, but that wouldn’t explain why I can’t change existing quotas.
one other tidbit. When i make new mail-enabled users in netinfo/root they get accounts, but do NOT show up in ServerAdmin – Mail – Accounts. NORE do any changes I make about mailstore locations or quotas on existing users.
Recent Comments