Currently Being ModeratedAug 12, 2012 3:16 AM (in response to SpocksBeard)
Same here. Did a clean install (formatted the drive first) of ML Server and used a FQDN for it. Kerberos is not working yet.
I did not try to mess with the Kerberos database on the server yet. Did you manage to clean this up?
Currently Being ModeratedAug 12, 2012 5:39 AM (in response to christian.aust)
When I try to configure my client, which is also OS X Server (10.8), to a data center hosted (so DNS is ok...) OS X Server (10.8) I get the error:
Connection failed to the directory server.
The same problem was there when I still had Lion Server only now I can't even see if Kerberos is running because Apple took out Server Admin and "sudo serveradmin fullstatus dirserv" isn't very clear...
I really want to use option 3, now the only way to have maximum pleasure from using OS X Server means will have to buy extra hardware...
Currently Being ModeratedAug 12, 2012 11:13 AM (in response to christian.aust)
good to hear that I am not alone with this particular problem.
I still wait for an answer of enterprise support...The guy told me that he escalated it to engineering department.
So it looks as a bug to me.
If I run "sudo ktutil list", I can see the services kerberized with FQDN.
Does anybody know how to add a "testserver.local" entry to it?
I want to play with "ktutil add ....." but I am not so familiar with the syntax up to now
Currently Being ModeratedAug 12, 2012 8:17 PM (in response to SpocksBeard)
TBH, i just configured a new mountain lion server and had AD binding working for a day or two. After that i gave up on it. The binding would drop out randomly and stop mail services from even working. Switched to open directory.
Currently Being ModeratedAug 13, 2012 11:22 AM (in response to SpocksBeard)
I finally got feedback from enterprise support. They told me that it was filed as a bug (other users reported also this malfunction) but they cannot tell me if or when this is being fixed. And they told me they cannot support command line tools (to my question about ktutil)
I am a bit suprised that apple releases a server that has such a huge bug inside. One simple test would have shown this...
But ok, let's change the decor:
Does anybody know how to use "ktutil add" in detail to add a *.local domain to kerveros databse?
Currently Being ModeratedAug 13, 2012 2:10 PM (in response to SpocksBeard)
I fixed it
You have to do 2 Steps in Terminal (do "sudo bash" first)
Step One (Add the local principal to kerberos database)
- Open kadmin by tpying "kadmin -l"
- Read the old value by typing "list -l <principal name>" (i.e. afpserver/testserver.mydomain.de)
- Add a new entry by "add <new local principal>" (i.e. afpserver/testserver.local)
Follow the wizard, copy attributes from FQDN entry, leave pwd blank.
- type exit
You should now see something like this:
Step Two (Add the local principal to keytab)
- list your entries by typing "ktutil list"
- Use ktutil to add the pricipal three times with different encryption types to keytab by typing "ktutil add -p afpserver/testserver.local"
copy the encryption type from the listed entries of your prior query, key version is 1 and leave pwd blank again.
You should now see something like this:
After that a click on my testserver on my client with user test7 I see this:
instead of not connected
Currently Being ModeratedAug 13, 2012 10:15 PM (in response to SpocksBeard)
Hm. Wonderful idea, but there are no afpserver/* principals in my database yet. I SSH'ed into the box, became root using sudo -i and opened kadmin as you wrote.
I do have a wildcard SSL certificate installed right now, maybe that is causing trouble? Will replace it with a cert matching the hostname.
Currently Being ModeratedMar 2, 2013 5:54 PM (in response to SpocksBeard)
I couldn't get these commands to work, but adding the .local name is exactly what I needed to do. I was able to accomplish it by running the following command:
sudo krbservicesetup -r MYREALM.COM -a diradmin -p mypass afpserver afpserver/servername.local@MYREALM.COM
After running that my Mac OS 10.8 clients were able to view the correct AFP shares from the 10.8 server.
Thanks for pointing me in the right direction!