|
Replies
:
9
-
Pages
:
1
-
Last Post
:
May 21, 2007 2:26 PM
by: checkered
|
|
|
Posts:
5
Registered:
Apr 26, 2007
|
|
|
|
OD master won't Kerberize - hostname found in rendezvous
Posted:
Apr 26, 2007 1:12 PM
|
|
|
I've configured my Xserve as an OD master but it will not kerberize. I get the error message:
Hostname servername.domain.local is from Rendezvous
Skipping Kerberos configuration
I have A and PTR records for my server and have verified both of my dns servers are resolving them.
Hostname returns the FQDN. scutil --get HostName returns FQDN. scutil --get LocalHostName returns different hostname that matches the rendezvous name in sharing. /etc/hostconfig has Hostname=servername.domain.local rather than -automatic-.
I have local added to the search path as recommended by http://docs.info.apple.com/article.html?artnum=107800
I'm at a total loss why it's still resolving the hostname via rendezvous. Anyone have any insight?? Thanks.
XServe Mac OS X (10.4.9)
|
|
Posts:
4,311
From:
UK
Registered:
Oct 31, 2005
|
|
|
Posts:
5
Registered:
Apr 26, 2007
|
|
|
|
Re: OD master won't Kerberize - hostname found in rendezvous
Posted:
Apr 27, 2007 2:31 PM
in response to: Antonio Rocco
|
|
|
I appreciate the post.
I linked to the article on the .local issue in my first post. I've also spoken with apple technicians directly that verified that I shouldn't have issues with my current set up. They mentioned it needing to be 3-tiered (server.domain.tld) which it is.
I have 2 existing DNS servers on the network that I have set up A and PTR records for this server and that things are resolving. I know the DNS setup is good. I've even set up DNS on the server itself and set up the appropriate records, but it still resolves its name from rendezvous.
At this point, I've spent so much time on this I think I'm just going to reinstall the OS. Will post if I get it or if I end up with the same problems.
XServe
Mac OS X (10.4.9)
|
|
Posts:
4,311
From:
UK
Registered:
Oct 31, 2005
|
|
|
|
Re: OD master won't Kerberize - hostname found in rendezvous
Posted:
Apr 28, 2007 2:52 AM
in response to: checkered
|
|
|
HI
I understand what you are saying and it is a shame that you may end up reinstalling the OS, although its not that critical as it sounds as if its a first time deployment so there should be nothing to lose. The apple technicians are technically correct but in my experience using a FQDN rather than .local is always a better option even for simple file services, things just work better provided its configured correctly and thoroughly tested.
|
|
Posts:
5
Registered:
Apr 26, 2007
|
|
|
|
Re: OD master won't Kerberize - hostname found in rendezvous
Posted:
Apr 30, 2007 8:27 AM
in response to: Antonio Rocco
|
|
|
I understand. The issue is my existing AD domain is set up .local and the ultimate goal is AD integration. I suppose I could set up DNS on the XServe rather than using my AD Integrated DNS servers and use something other than .local.
Reinstalling at this point was no big deal, though it made no difference.
Mac OS X (10.4.9)
|
|
Posts:
4,311
From:
UK
Registered:
Oct 31, 2005
|
|
|
|
Re: OD master won't Kerberize - hostname found in rendezvous
Posted:
Apr 30, 2007 8:59 AM
in response to: checkered
|
|
|
Hi
You could set up DNS and it should not be a problem. The AD server can always catch up later on.
|
|
Posts:
1,913
Registered:
May 21, 2004
|
|
|
|
Re: OD master won't Kerberize - hostname found in rendezvous
Posted:
May 1, 2007 12:39 AM
in response to: checkered
|
|
|
"/etc/hostconfig has Hostname=servername.domain.local rather than -automatic-"
Don't do that in 10.4.x. Return it to -Automatic-
And your domain name is domain.local not just .local in search domain and use hostname in Sharing setup ("three tier" remember?). Use all small letters in name if setup like that in DNS.
Bonjour name should probably also be: hostname(.local)
Use the Windows DNS and setup your servername there (reverse too) and use it in Network config. It's easier to use the Windows DNS if you are going to connect to the AD later. Also managing the whole DNS in one place (all machines use the same DNS data) is a good idéa.
You can setup more nameservers (NS) in Windows DNS if you want to use the the Mac server a a secondary DNS (running as DNS slave - don't forget the reverse zone: in-addr.arpa.xxx.xxx.xxx). If you do this, then change the Mac server to use itself as the DNS.
Also test DNS setup with: sudo changeip -checkhostname
Running as OD Master AND connected to the AD - hm... It can be done but why do you need it? Want to control users local priviledges? If that not needed
(I have never really tried it as) it seems easier to just use the AD.
When binding to the AD I think it will change the content of /Library/Prefrences/edu.mit.kerberos to reflect AD settings.
Also if you decide to run without OD just AD (when bound) then go to OpenDiretory setup in SA and klick "Join Kerberos" if you want SSO for AD bound clients.
Not sure what it looks like if OD is on before binding to AD.
|
|
Posts:
5
Registered:
Apr 26, 2007
|
|
|
|
Re: OD master won't Kerberize - hostname found in rendezvous
Posted:
May 1, 2007 8:44 AM
in response to: Leif Carlsson
|
|
|
"/etc/hostconfig has Hostname=servername.domain.local rather than -automatic-"
Don't do that in 10.4.x. Return it to -Automatic-
I've tried this both ways, made no difference either way.
And your domain name is domain.local not just .local in search domain and use hostname in Sharing setup ("three tier" remember?). Use all small letters in name if setup like that in DNS.
The apple documentation says if you are using "domain.local" to put "local" in the search domain. I had that AND "domain.local". It's server.domain.tld how I have it. xserve.mycompany.local
Bonjour name should probably also be: hostname(.local)
this is set as xserve.local
Use the Windows DNS and setup your servername there (reverse too) and use it in Network config. It's easier to use the Windows DNS if you are going to connect to the AD later. Also managing the whole DNS in one place (all machines use the same DNS data) is a good idéa.
That was what I wanted to do but it wasn't working.
You can setup more nameservers (NS) in Windows DNS if you want to use the the Mac server a a secondary DNS (running as DNS slave - don't forget the reverse zone: in-addr.arpa.xxx.xxx.xxx). If you do this, then change the Mac server to use itself as the DNS.
Also test DNS setup with: sudo changeip -checkhostname
had done this...everything looked fine.
Running as OD Master AND connected to the AD - hm... It can be done but why do you need it? Want to control users local priviledges? If that not needed
(I have never really tried it as) it seems easier to just use the AD.
When binding to the AD I think it will change the content of /Library/Prefrences/edu.mit.kerberos to reflect AD settings.
Also if you decide to run without OD just AD (when bound) then go to OpenDiretory setup in SA and klick "Join Kerberos" if you want SSO for AD bound clients.
Not sure what it looks like if OD is on before binding to AD.
I'm going off the bombich article which has been recommended numerous places including apple, hence the setup I'm going for.
So you know, by changing the tld, setting up the server to provide dns for the domain, and setting up reverse DNS in my existing AD DNS I was able to get kerberos to start no problems.
Mac OS X (10.4.9)
|
|
Posts:
1,913
Registered:
May 21, 2004
|
|
|
|
Re: OD master won't Kerberize - hostname found in rendezvous
Posted:
May 1, 2007 10:09 PM
in response to: checkered
|
|
|
"/etc/hostconfig has Hostname=servername.domain.local rather than -automatic-"
Don't do that in 10.4.x. Return it to -Automatic-
"I've tried this both ways, made no difference either way."
Server usually stops complaining in logs.
"The apple documentation says if you are using "domain.local" to put "local" in the search domain. I had that AND "domain.local". It's server.domain.tld how I have it. xserve.mycompany.local"
Analog to how OS X Server DHCP server setup only allow one domainname I only put in one domainname in search domain so server and users get the same domain.
So in your case it should be : mycompany.local - same as Windows domain and thus the Netbios domainname is MYCOMPANY and that should be entered in the Windows setup for "Workgroupname" in Server Admin.
.local in search domain I don't understand - Is already used by Bonjour?
"Use the Windows DNS and setup your servername there (reverse too) and use it in Network config. It's easier to use the Windows DNS if you are going to connect to the AD later. Also managing the whole DNS in one place (all machines use the same DNS data) is a good idéa.
That was what I wanted to do but it wasn't working."
What wasn't working??? I did it last week and it works (of course).
I also did this:
"You can setup more nameservers (NS) in Windows DNS if you want to use the the Mac server as a secondary DNS (running as DNS slave - don't forget the reverse zone: in-addr.arpa.xxx.xxx.xxx). If you do this, then change the Mac server to use itself as the DNS."
"I'm going off the bombich article which has been recommended numerous places including apple, hence the setup I'm going for."
Do you mean cross realm? Or is it the mcx part your after?
"So you know, by changing the tld, setting up the server to provide dns for the domain, and setting up reverse DNS in my existing AD DNS I was able to get kerberos to start no problems. "
Is it running as primary DNS or as secondary (slave) off the Windows DNS?
Just setting up IP/name in Windows DNS and using that will make Kerberos work if setting it up as OD Master - doesn't matter what machine is doing DNS.
If not using the same realm as Windows AD, I guess SSO woun't work.
I think I remember when looking at a working AD/OD setup that edu.mit.kerberos had the Windows AD servers as KDC. And maybe the OD Replica I was looking at had a OD Master not connected to the AD...
|
|
Posts:
5
Registered:
Apr 26, 2007
|
|
|
|
Re: OD master won't Kerberize - hostname found in rendezvous
Posted:
May 21, 2007 2:26 PM
in response to: Leif Carlsson
|
|
|
I appreciate the help. I've just bound the server to the domain and kept it as connected to a directory for now. I've accomplished the more critical of what I wanted to do with this doing things this way, however not all of what I wanted accomplished is done. From a user's standpoint, at least they can do what they need.
Mac OS X (10.4.9)
|
|
|
