[peet1]

Thanks again. Just some follow up info and a question. The KB article fails to mention that you also need to to edit com.apple.AppleFileServer.plist to include the correct kerberosPrincipal. Once you edit your .plist with the right Principal, your in business for AFP.

The issue that I have now is that AFP is kerberized correctly, but SMB fails any kerberized connection. I’ve checked the smb.conf’s but there’s no mention of which principal it’s using.

Any help?

thanks.peet

[peet1]

wow big thanks … Feel dumb for missing it.

thanks again.

[peet1]

Months later, but were you just looking for your tickets …open /System/Library/CoreServices/Ticket Viewer.app instead.

[peet1]

Brilliant.

The advice is much appreciated. A quick follow up question … I had our AD guys create a two-way transitive shortcut trust between the missoula.campus (student accounts) and gs.umt.edu (computer accounts). This seems to take care of both our authentication issues as well as the flakey group resolution. Do you see any drawbacks to this end-run-type shortcut solution?

thanks.peet

[peet1]

FYI … since I wasn’t sure which problem you were trying to address, I tried binding to umt.edu and changing dns_fallback = yes. The cross domain authentication still fails. I cannot auth a user from missoula.campus. If I sudo -s to root and su to [email protected] (or any varation of a ligit user), I just get a

su: unknown login: pm823892e

thanks.peet

[peet1]

Joel,

Thank so much for the quick response … Quick question which issue is the “dns_fallback = yes” supposed to fix. The cross-domain authentication or the group resolution?

I gave ‘er a whirl and I still have the same issue. I can successfully check out tickets from all the KDC that I have access to accounts … UMONTANA.EDU, UMT.EDU, MISSOULA.CAMPUS and GS.UMT.EDU.

I’m not 100% sure that the group resolution is a Kerberos issue. This is a shot in the dark, but is it at all possible that this has something to do with the trust setup?

Everything between the umt.edu (parent) and gs.umt.edu (child) seems to work every time. These two have a direct full Transitive trust between them since they’re parent-child. However, the trust relationship between missoula.campus and umt.edu is transitive, but only because it passes through the forest root umontana.edu.

thanks.peet

[peet1]

You can do this with augment records in 10.5. It’s not as easy as I’d like so I’m cheating and using MacAdministrator (yes they are still in business … and actually it’s gotten much cleaner in 4.x). Anyway you need to not check the get home directory location from UNC path when on the clients. In the 10.5 OD you need to edit the raw LDAP … Config -> augmentconfiguration -> XMLPlist … to include the records you want to augment … which are NFSHomeDirectory and HomeDirectory.

Then create Augment records for all the users that you need to do this for and edit the augment records with dscl to have the correct HomeDirectory and NFSHomeDirectory attributes.

It’s this last part that I get discouraged. If you happen to write a script to populate these records, please do share.

peet

[peet1]

[QUOTE][u]Quote by: morgant[/u]I still could probably move the mail store and database to a separate volume and gain a little more performance (both during regular usage and during backup, but then I’d be rolling my own rsync backup script entirely).[/QUOTE]

mailbfr seems to read the cyrus config files to find the mail store. I’ve never had an issue running mailbfr on servers with the mailstore on a seperate volume. In fact, I’d be a bit more than a bit frightened to run my mail store/db on the boot volume. I’ve had to roll back to previous OS releases a few to many times to ever trust keeping ANY data on a server boot volume. Just my 2 cents.

peet

[peet1]

I was so wrong. That didn’t fix it. Anyone able to explain why launchd keeps spawning instances of this daemon even though I’ve got it set to RunAtLoad?

thanks.peet

[peet1]

The answer was too easy.

The [url=http://homepage.mac.com/peet1/net.sourceforge.synergy2.plist.FIXED.txt] PLIST [/url].

Then answer was in the NumberOfProcesses. Just needed an integer of 1.

hope this helps someone else.

peet

[peet1]

A little follow up info that I didn’t have originally … if I just pass L2TP and IPsec to my server (Bypassing the 700) the VPN works, so I know that atleast the networks have no problems establishing the connection.

Silly me I found the log for Internet Connect, sadly it’s not very helpful (even in ‘verbose’ mode) this is what she says …

Wed Jan 11 15:22:01 2006 : L2TP connecting to server ‘xxx.xxx.xxx’…
Wed Jan 11 15:22:01 2006 : L2TP sent SCCRQ
Wed Jan 11 15:23:01 2006 : L2TP cannot connect to the server

peet

[peet1]

I’ll explain my fix soon, but for now, know that it’s working.

peet

[peet1]

The Cyrus mailbox does exist. I can see it in my mailstore and I’ve manually moved messages into the inbox via Apple’s Mail. Maybe an smtp pipe from postfix also has to occur, but that wouldn’t explain why I can’t change existing quotas.

thanks for any and all help.

peet.

[peet1]

one other tidbit. When i make new mail-enabled users in netinfo/root they get accounts, but do NOT show up in ServerAdmin – Mail – Accounts. NORE do any changes I make about mailstore locations or quotas on existing users.

thanks again

peet

[peet1]

Thanks for the reply, I forgot I posted here (and here’s probably my best bet!)

Here’s my main.cf and master.cf
http://homepage.mac.com/peet1/postfix/main.cf
http://homepage.mac.com/peet1/postfix/master.cf

for good measure here are my imapd.conf and cyrus.conf
http://homepage.mac.com/peet1/cyrus/imapd.conf
http://homepage.mac.com/peet1/cyrus/cyrus.conf

and here’s the chunk you asked for…

–start CHUNK
maildrop unix – n n – – pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix – n n – – pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
cyrus unix – n n – 10 pipe
user=cyrus argv=/usr/bin/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix – n n – – pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender – $nexthop!rmail ($recipient)
ifmail unix – n n – – pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix – n n – – pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
–end CHUNK

I’ve manually checked and rechecked these configs against working servers but if you can figure it out I’d be super excited.

As an FYI, my mailstore is located /volumes/data/mailstore

Thanks for the quick reply. I hope you’re still watching.

peet

[Author]

Posts