[s_bennett]

Update:

got kadmin running. there were a couple of issues,

The primary one being that the config file that OS X spits out when creating the OD master
( /Library/Preferences/edu.mit.Kerberos ) was not correct, it had one of the OD replicas I’d configured as the
“admin” server. I wish apple’s docs would point more out more clearly that realms can be edited via the kerberos utility app. I found this article to be very useful if anyone else is new to this and having trouble:

[url]http://web.mit.edu/macdev/KfM/Common/Documentation/preferences-osx.html#config[/url]

After tweaking the config settings, executing “sudo kadmin -p “directoryadmin” gets me to kadmin prompt successfully.

Now, in the server admin app I can “add a kerberos record” on the OD -> settings main pane.

However, attempting to join a server to the kerberos realm still fails after I’ve added a kerberos record on the OD Master to delegate join authority for an admin.

It returns an invalid username or password error (despite the fact that the user principle does exist and can get tickets issued from the kdc)

On the member server attempting the join there are no new kadmin or krb5kdc log entries generated after this action.

Hope that all made sense, thanks for reading.

[s_bennett]

here’s what I get when listing running processes:

44 ?? 0:00.90 /usr/sbin/kadmind -passwordserver -nofork

and invoking kadmin from the command line results in this:

Authenticating as principal “mydirectoryadmin”/[email protected] with password.
kadmin: Client not found in Kerberos database while initializing kadmin interface

From the kadmin log:

“No dictionary file specified, continuing without one.”
-only entry listed but I think this is just a notification

I’m learning more than I ever wanted to know about kerberos. I’m not sure what the “client not found” message means.
The admin principle does exist in the kerberos database….

Thanks for reading.

[s_bennett]

I’m having the exact same problem (same os revision also). Does anyone have other ideas? Moving the /etc/krb5.keytab file did not seem to help.

On the OD Master side, I’m also getting an error when I attempt to delegate authority to join a kerberos domain.
From server admin, I go to the OD Master -> Open Directory -> General pane and click on add kerberos record…

in the pop up window I enter:
directory admin / pw for Administrator name and password ,
OD computer record name for “Configuration Record Name”
user shortname for “delegated administrators”

This returns:

“Unable to create Kerberos service principals for the Kerberos configuration record.”

I’ve checked and double checked DNS: forward and reverse lookups work for both OD Master and the member server I want to join.
Also the configuration record name in OD matches DNS (in the form “hostname$” which I think is normal for OD)

I get this chunk of information in the kerberos server log when I attempt to add a record:

May 07 10:12:05 my.odmaster.server krb5kdc[13728](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xxx.xxx.xxx: NEEDED_PREAUTH: [email protected] for kadmin/[email protected], Additional pre-authentication required
May 07 10:12:05 my.odmaster.server krb5kdc[13728](debug): handling authdata
May 07 10:12:05 my.odmaster.server krb5kdc[13728](debug): handling authdata
May 07 10:12:05 my.odmaster.server krb5kdc[13728](debug): .. .. ok
May 07 10:12:05 my.odmaster.server krb5kdc[13728](debug): .. .. ok
May 07 10:12:05 my.odmaster.server krb5kdc[13728](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xxx.xxx.xxx: ISSUE: authtime 1241716325, etypes {rep=16 tkt=16 ses=16}, [email protected] for kadmin/[email protected]
May 07 10:12:05 my.odmaster.server krb5kdc[13728](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) xxx.xxx.xxx.xxx: ISSUE: authtime 1241716325, etypes {rep=16 tkt=16 ses=16}, [email protected] for kadmin/[email protected]

I’m not exactly sure if the two problems are related but getting my member servers to join the existing kerberos realm would be really nice…

UPDATE:
running this command on the xserve I want to join to the kerberos realm:

command: sso_util configure -r MY.KERBEROS.REALM -a odadmin -p ***** all

results in this:

Contacting the directory server
Creating the service list
Creating the service principals
kadmin: Communication failure with server while initializing kadmin interface
2009-05-07 11:29:37 -0700 – sso_util command failed with status 2

so I check the OD master and while kadmin.local works, I can’t access kadmin from the command line.

[s_bennett]

Hi, thanks for the reply.

I installed everything in /usr/local/bacula, the cool thing about webmin is that it picked that up right away. If I go into the module configuration, it displays the correct path to the bconsole.conf file (as well as the rest of the .conf files). If I manually start the console from the command line it connects no problem… I’m wondering if perhaps webmin is attempting to start the console services w/ a different user id ?? By any chance have you tried installing any of bacula’s gui tools on OS X?

[s_bennett]

Hi, thanks for the response. mkpassdb got the missing kerberos principals back so thanks for that.

I still can’t seem to figure out why a network user cannot authenticate. I have a client machine bound to the open directory master, it can see the ldap domain for authentication and contacts yet the only account that will authenticate is the directory administrator. The login window will show the network user, I can even get it to prompt a network user to change a password, but when it comes time to actually enter the password and authenticate the screen just shakes. This happens for every user – new ones that I’ve just created as well as old ones that were imported after the leopard install – again, except for the directory admin account.

I opened a ticket with apple support who told me that sometimes the OD installation “hiccups” when looking at the DNS names (whatever that means). So I executed the “changeip LDAPv3/127.0.0.1/ old ip new ip oldname newname” to make sure all the names were correct. Time sync. is good, I’ve added the client machine to a computer group in workgroup manager as well. As far as Open Directory goes, the ability for a user to login from a client machine should be (and typically is) taken for granted. Are there some common problems that I’m not thinking of that could prevent this? (service conflicts on the server or some hardware issue?) Network wise there’s no NAT going on and both the machines are on the same subnet. By the way, should workgroup manager auto-populate the computer list? It does recognize other servers connected to the same switch but nothing else on the subnet….

[s_bennett]

Does anyone have any thoughts? To test this I created a new OD Master on a fresh install of 10.5.3 on an Xserve. DNS and time sync. all look good. I followed the documentation closely on creating an OD master. Here are some logs that hopefully can shed some light on this:

Perhaps I’m missing some very basic step that all OS X administrators know but take for granted??? (don’t mind the log smiley faces by the way)

This shows up in directory services log right after installation:

2008-06-26 15:37:04 PDT – T[0xB0103000] – Attempt #1 to initialize plug-in PasswordServer failed.
Will retry initialization at most 100 times every 1 second.

Initial setup directory service logs:

2008-06-26 15:10:28 PDT – T[0xA031AF60] –

2008-06-26 15:10:28 PDT – T[0xA031AF60] – DirectoryService 5.0 (v514) starting up…
2008-06-26 15:10:28 PDT – T[0xB0185000] – Initializing TCP …
2008-06-26 15:10:28 PDT – T[0xB0207000] – Plugin , Version <1.0>, processed successfully.
2008-06-26 15:10:28 PDT – T[0xB0207000] – Plugin , Version <3.0>, processed successfully.
2008-06-26 15:10:28 PDT – T[0xB0207000] – Plugin , Version <1.0>, processed successfully.
2008-06-26 15:10:29 PDT – T[0xB0207000] – Plugin , Version <3.0>, processed successfully.
2008-06-26 15:10:29 PDT – T[0xB0207000] – Plugin

, Version <3.0>, processed successfully.
2008-06-26 15:10:29 PDT – T[0xB0207000] – Plugin , Version <2.0>, processed successfully.
2008-06-26 15:10:29 PDT – T[0xB038D000] – Registered node /Configure
2008-06-26 15:10:29 PDT – T[0xB038D000] – Plug-in Configure state is now active.
2008-06-26 15:10:29 PDT – T[0xB0491000] – Plug-in LDAPv3 state is now active.
2008-06-26 15:10:29 PDT – T[0xB0595000] – Registered Locally Hosted Node /BSD/local
2008-06-26 15:10:29 PDT – T[0xB0595000] – Registered node /BSD/local
2008-06-26 15:10:29 PDT – T[0xB0595000] – Plug-in BSD state is now active.
2008-06-26 15:10:29 PDT – T[0xB040F000] – Registered Locally Hosted Node /Local/Default
2008-06-26 15:10:29 PDT – T[0xB040F000] – Registered node /Local/Default
2008-06-26 15:10:29 PDT – T[0xB040F000] – Plug-in Local state is now active.
2008-06-26 15:10:29 PDT – T[0xB0513000] – Registered node /Search
2008-06-26 15:10:29 PDT – T[0xB0513000] – Registered node /Search/Contacts
2008-06-26 15:10:29 PDT – T[0xB0513000] – Registered node /Search/Network
2008-06-26 15:10:29 PDT – T[0xB0513000] – Plug-in Search state is now active.
2008-06-26 15:10:31 PDT – T[0xB030B000] – Registered node /Cache
2008-06-26 15:10:31 PDT – T[0xB030B000] – Plug-in Cache state is now active.
2008-06-26 15:10:31 PDT – T[0xB0207000] – Plugin “Active Directory”, Version “1.6”, is set to load lazily.
2008-06-26 15:10:31 PDT – T[0xB0207000] – Plugin “PasswordServer”, Version “4.0”, is set to load lazily.
2008-06-26 15:10:41 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:10:43 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:10:44 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:10:45 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:52 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:52 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:54 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:55 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:25:55 PDT – T[0xB0081000] – Network transition occurred.
2008-06-26 15:37:05 PDT – T[0xB0103000] – Plugin “PasswordServer”, Version “4.0”, loaded on demand successfully.
2008-06-26 15:37:05 PDT – T[0xB0103000] – Plug-in PasswordServer state is now active.
2008-06-26 16:08:16 PDT – T[0xA031AF60] – Shutting down DirectoryService…
2008-06-26 16:10:13 PDT – T[0xA083BFA0] –

Directory Service Debug Logs:

2008-06-30 11:57:37 PDT – T[0xB0289000] – PasswordServer PlugIn: SASL authentication error 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – CPSPlugIn::DoAuthentication returning 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsDoDirNodeAuth(), PasswordServer Used : DAR : Node Ref = 16903579 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsDoDirNodeAuth(), LDAPv3 Used : DAR : Node Ref = 16903577 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirNode(), PasswordServer Used : DAC : Node Ref = 16903579
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirNode(), PasswordServer Used : DAR : Node Ref = 16903579 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirService(), Server Used : DAC : Dir Ref 16903578
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirService(), Server Used : DAR : Dir Ref 16903578 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAC : Node Ref = 16903577
2008-06-30 11:57:37 PDT – T[0xB0289000] – Internal Dispatch, API: dsCloseDirNode(), LDAPv3 Used : DAR : Node Ref = 16903577 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – CDSLocalPlugin::DoAuthentication(): got error of 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Client: Workgroup Manage, PID: 24662, API: dsDoDirNodeAuth(), Local Used : DAR : Node Ref = 16903569 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0103000] – Client: Workgroup Manage, PID: 24662, API: dsFindDirNodes(), Server Used : DAC : Dir Ref 16903553 : Data buffer size = 2048
2008-06-30 11:57:37 PDT – T[0xB0103000] – Client: Workgroup Manage, PID: 24662, API: dsFindDirNodes(), Server Used : DAR : 1 : Dir Ref = 16903553 : Requested nodename = /Search
2008-06-30 11:57:37 PDT – T[0xB0103000] – Client: Workgroup Manage, PID: 24662, API: dsFindDirNodes(), Server Used : DAR : 2 : Dir Ref = 16903553 : Result code = 0
2008-06-30 11:57:37 PDT – T[0xB0289000] – Client: Requesting dsOpenDirNode with PID = 24662, UID = 501, and EUID = 501
s

[Author]

Posts