Currently Being ModeratedMar 1, 2012 1:16 PM (in response to Paul Verity)
Ok, so it turns out I can't access an AFP service via the Finder's sidebar, I have to use the "Connect to Server..." route and type the full hostname. Is this expected? Seems very odd to me.
However, it still leaves me wondering why I don't get a ticket when I log in. User credentials are held in OD on the server, and my login name and password I use logging in to Lion (client) is the same as it is in OD.
Ultimately I'd like a users remote/shared directories on the server to be automatically mounted and visible in the Finder when a user logs in.
If it means anything, /Library/Preferences/edu.mit.Kerberos.kadmind.launchd is empty. Should it be?Mac OS X (10.7.3)
Currently Being ModeratedMar 5, 2012 8:57 AM (in response to gpw_wmbg)
This may be a service ACL issue - See my ticket which was just resolved by AppleCare.
It turns out one of the latest Apple updates turned on Service ACL's which caused AFP connections to be blocked. Once I fixed the Service ACL in Server Admin... all connections and Single Sign On worked.
Currently Being ModeratedMar 10, 2012 4:47 PM (in response to Paul Verity)
This just gets worse! I tried binding the server with the directory hosted on the server to see if that would make any difference, and now when I open WGM and try to make changes by authenticating with the diradmin account I get the error:
The login information is not valid for this server.
"The server failed to accept the login information you provided. Check the Name and Password and try to log in again or contact your network administrator."
I know the diradmin password is correct as I've used it plenty of times!
How do I fix this one?!
Currently Being ModeratedMar 13, 2012 4:27 AM (in response to Paul Verity)
Is this a new setup or has it worked before. It looks to me like the kerberos realm is a bit messed up. There was a command tht could be run to re-kerberise an Open Directory. I will see if I can recall what it was.
Currently Being ModeratedMar 13, 2012 4:34 AM (in response to Newbie-2-macs)
You could try the information in this article. Note: This is for 10.5. I am assuming that the commands still work the same in Lion Server. If this is a production server do so at you rown risk.
Currently Being ModeratedMar 17, 2012 2:17 PM (in response to cherybeth)
In Server Admin (10.7.3), click on the server name in the left hand pane that lists the available servers, then click the "Access" icon at the top of the right hand pane. From that you can assign access rights to certain services.
Currently Being ModeratedMar 17, 2012 2:32 PM (in response to Newbie-2-macs)
Many thanks for the info. This is a new setup. Admittedy I have had nothing but pain in getting Lion Server running. It has so far taken 4 fresh re-installs to get the services running that I wanted. I have had services fail one by one a number of times - leading me to start afresh each time rather than poke about under the covers. However, I got enough of what I wanted working, and decided to quit while I was ahead. Unfortunately, services have started to fail again and I don't want to do a fresh install again at this late stage.
All I have working at the moment is Mail, Calendar and Contacts (Web server and Profile Manager no longer work). I'm not sure if Kerberos ever worked, but when I tried to create shared folders for a user to mount at login, it didn't work - which has led me down this path. I don't want to re-install again if I can avoid it, so I'd like to understand the root of my problems and try to fix them.
I'll check out the article and let you know how it goes!
Currently Being ModeratedMar 17, 2012 5:07 PM (in response to Paul Verity)
Right, I seem to be making some progress - I can now log in to WGM (Work Group Manager) again.
It seemed my keytab file was not quite in sync with the KDC database. The KVNO's were higher when viewed in kadmin than those in the keytab. I tried running ktutil purge to update it, it returned very quickly with very little feedback so I assumed nothing significant happened. So I tried ktutil change. It ran through the keytab file updating it with some feedback noting some problems with some realms. On running ktutil list, I noticed a number of the principals had their KVNO's updated. I was then able to log in to WGM using the diradmin account again!
The errors highlighted that my server's hostname does not have an entry in this file, nor do the usernames of those that can't authenticate with the AFP service. I do however seem to have a number of entries like this:
1 aes256-cts-hmac-sha1-96 host/LKDC:SHA1.<long_hash_key>@LKDC:SHA1.<long_hash_key>
1 aes128-cts-hmac-sha1-96 host/LKDC:SHA1.<long_hash_key>@LKDC:SHA1.<long_hash_key>
1 des3-cbc-sha1 host/LKDC:SHA1.<long_hash_key>@LKDC:SHA1.<long_hash_key>
Is this expected? Or is this corrupted?
I'm noticing that the ticket the user gets (verified by running klist -v) after using kinit, still has a lower KVNO than the one shown in running kadmin get <principal_name>.
I tried adding a user princial using:
ktutil get -p <username> <username>
It prompts me to enter the password:
But after doing so I get the error:
ktutil: kadm5_create_principal(<username>): Operation requires `add' privilege
So if the user is not in the keytab, could this be why the user doesn't get a ticket when logging in? And where is it getting the KVNO from when running kinit?
PaulMac OS X (10.7.3)
Currently Being ModeratedMar 18, 2012 2:27 AM (in response to Paul Verity)
In 10.5 apple introduced local KDC for each individual machine. Each LKDC is unique for every client on a network. When clients are imaged the LKDC should have a new hash key generated using a command that I forget a t the moment. But these are what you are seeing. Server 10.6 had LKDC entries for AFP and for some other services when the Klist -kit command was run.
If possible you may wish to re-build the OD but having played with lion server for a while it doesn't look like you can demote the server to a stand alone server using the server.app. You may be able to use server admin to do this. However hill lose all stored Kerberos information password database and ldap information as well as any users created and prefereences managed with WGM.
If the process is the same as 10.6 you should then be able to remove the krb file for the domain you had set up. When the server get promoted back to OD master the server should use a default file and re-create the krb file again.
You may want to check this info though as I am just going through what I would do on an 10.6 server, and I havent done this in a long time.