User profile for user: gh-blue
gh-blue Author
User level: Level 1
5 points

Open Directory Master: Kerberos is stopped

Hello,

I'm desperately trying to set up Mac OS X Server as Open Directory Master. Everything works fine, but Kerberos doesn't run.

Here the details:

DNS works forward and backward. +changeip -checkhostname+ says "ok". To be sure, I appended the server in the "hosts" file. OD is supposed to run on the same machine as the DNS.

When I switch from Standalone to OD Master, the search-base and the kerberos realm are set up automatically. When I press "save", the Open Directory service is started. But Overview says: "Kerberos is stopped".

Trying to kerberize it in the settings pane yields an authentication dialog. When I enter the OD admin name and password, the dialog comes back. The name and password, just set up a minute ago, are not recognized.
Then I tried it on the command line. +slapconfig -kerberize+ yields the same behavior as Server Admin: the OD admin name and password are not recognized.

At last I run kerberosautoconfig and kdcsetup without errors, but krb5kdc yields "Cannot find/read stored master key" in the system log.

Now I'm out of ideas what I could try.
Any help is highly appreciated. Thanks.

G. Heinrich

G5, Mac OS X (10.4.10), Server

Posted on Sep 4, 2007 7:56 AM

Reply
10 replies
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Sep 5, 2007 1:08 AM in response to gh-blue

Hi

I’ve seen a similar issue and it does seem odd. It also compounds itself sometimbes by allowing you to create diradmin yet when you log into the OD node in WGM there is no diradmin account in the list of users.

What I did to cure the problem that did not involve flattening the server and starting from scratch is to demote to Standalone. Stop the DNS Service as well as any other service configured and running, delete the DNS configuration and then restart the server. Inspect the contents of /etc/named.conf as well as /var/named and make sure the pointer record has been deleted. The PTR record will be in /var/named and the file will look something like this: db.16.16.172. Repair privileges and permissions and then start required services. Start off with AFP and Windows (if required), then move onto DNS. Configure DNS services using the GUI and then move onto Open Directory, hopefully Kerberos should now start.

Bear in mind that if you have configured DNS manually then go ahead and do that but on no account have Server Admin open whilst doing this and don’t revist the DNS GUI afterwards as it will have tendency to break any manual configuration already done.

Tony
Reply
User profile for user: gh-blue
gh-blue Author
User level: Level 1
5 points

Sep 5, 2007 8:47 AM in response to Antonio Rocco

Thanks, Antonio, for your kind reply.
I followed yor instructions, but it didn't help. Kerberos is still not running.

I noticed an error message in the logs while the directory service was starting:

/usr/sbin/vpnaddkeyagentuser/: This node is not using Password Server. Error: -14130

Still, DNS works well forward and backward, when checked with host or with the lookup pane in +Network Utility+. The dig output looks like this:

dig 192.168.178.25

; <<>> DiG 9.3.4 <<>> 192.168.178.25
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20375
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;192.168.178.25. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2007090400 1800 900 604800 86400

;; Query time: 164 msec
;; SERVER: 192.168.178.25#53(192.168.178.25)
;; WHEN: Wed Sep 5 17:43:52 2007
;; MSG SIZE rcvd: 107

I wonder why there are no answers. The zone files look ok to me, but I'm not so familiar with DNS.
Again, I'm stuck.
Any help is highly appreciated.
Regards,

G. Heinrich
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Sep 5, 2007 10:44 AM in response to gh-blue

Hi

You should be getting an ANSWER when you perform a Lookup using network utility or if you dig using the command line. Kerberos is never going to start unless your DNS is resolving correctly. If you are basing DNS around .local for the hostname then you are going to have problems either sooner or later.

Its best if you use an FQDN (fully qualified domain name) if you have a realworld domain then use that, for example mydomain.com. You don’t have to use a real world domain just as look as your pretend FQDN looks like a domain name. Make your server’s name is something like myserver. Its FQDN then would be myserver.mydomain.com, work on that basis and DNS services should then start properly allowing Open Directory and Kerberos to start. One possible reason why you are not getting an answer is the server’s IP address should be the only address in the DNS Server’s field in the Network Preferences pane. You add the address after configuring DNS Services. If you launch a web browser and you can successfully get onto the internet using the server’s own IP address and by implication its own DNS Service then that is a good indication that DNS is working correctly.

Tony
Reply
User profile for user: gh-blue
gh-blue Author
User level: Level 1
5 points

Sep 5, 2007 3:11 PM in response to Antonio Rocco

Thanks again.

I am sorry that I caused some confusion here.
Firstly I should have pointed out that I use an FQDN.
Secondly, the output of the commands is as follows:

srv-01:~ admin$ *host srv-01.office.lan*
srv-01.office.lan has address 192.168.178.25
srv-01:~ admin$ *host 192.168.178.25*
25.178.168.192.in-addr.arpa domain name pointer srv-01.office.lan.

=> It works with host forward and backward.

Lookup has started ...


; <<>> DiG 9.3.4 <<>> -x 192.168.178.25 ptr
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23237
;; flags: qr aa rd ra; QUERY: 1, *ANSWER: 1*, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;25.178.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:
*25.178.168.192.in-addr.arpa. 86400 IN PTR srv-01.office.lan.*

;; AUTHORITY SECTION:
178.168.192.in-addr.arpa. 86400 IN NS srv-01.office.lan.

;; ADDITIONAL SECTION:
srv-01.office.lan. 86400 IN A 192.168.178.25

;; Query time: 0 msec
;; SERVER: 192.168.178.25#53(192.168.178.25)
;; WHEN: Wed Sep 5 23:36:11 2007
;; MSG SIZE rcvd: 106

=> It works with the lookup pane in +Network Utility+ which calls dig.

srv-01:~ admin$ *dig -x 192.168.178.25*

; <<>> DiG 9.3.4 <<>> -x 192.168.178.25
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54570
;; flags: qr aa rd ra; QUERY: 1, *ANSWER: 1*, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;25.178.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:
*25.178.168.192.in-addr.arpa. 86400 IN PTR srv-01.office.lan.*

;; AUTHORITY SECTION:
178.168.192.in-addr.arpa. 86400 IN NS srv-01.office.lan.

;; ADDITIONAL SECTION:
srv-01.office.lan. 86400 IN A 192.168.178.25

;; Query time: 0 msec
;; SERVER: 192.168.178.25#53(192.168.178.25)
;; WHEN: Thu Sep 6 00:02:43 2007
;; MSG SIZE rcvd: 106

=> It does work with dig on the +command line+ if I use the '-x' option, which I didn't use in my previous post.

I thus conclude that DNS is working properly, and the reason why kerberos doesn't has to be found somewhere else.
What about this log entry about the missing Password Server?

Some more info about kerberos:
- The edu.mit.kerberos.plist file is missing in /Library/Preferences.
- If I press Cmd-E in Kerberos.app to create the file, the dialog does not show up.

Regards,

Georg
Reply
User profile for user: davidh
davidh
User level: Level 4
1,896 points

Sep 5, 2007 6:24 PM in response to gh-blue

you've said that changeip -checkhostname also comes back ok ("there is nothing to change")
and if that's so then I would not have suggested demoting or blowing away your DNS settings.

You need to fix your passwordserver.

On the server itself:

sudo NeST -hostpasswordserver <odadminname> <odadminpwd>

The "sudo" there will require that you authenticate as the local (ie, initial, existing in NetInfo) admin user's password.

Of course, don't use actual brackets.

This is mentioned by Apple in the following (refers to 10.2 but it does still apply ! )
http://docs.info.apple.com/article.html?artnum=107243

You may wish to manually remove (this assumes Kerberos is in fact not running )
/Library/Preferences/edu.mit.Kerberos
/etc/krb5.keytab
/var/db/krb5kdc/*
possibly the contents of /Library/Preferences/DirectoryService (and then rebooting)


Then you should be able to fire up Kerberos via:

1.sudo kerberosautoconfig -r REALM.ORG -m myserver.org

2. sudo kdcsetup -f /LDAPv3/127.0.0.1 -w -a ldap(od)admin -p admin_pass REALM.ORG

3. sudo sso_util configure -r KERB-REALM -a ldap(od)admin -p ldap(od)admin_password all

Note that instead of #3 above, you can use: sudo dsconfigad -enableSSO
Where "ldap(od)admin" is the account you setup when promoting your server to OD Master.

For more, "man kdcsetup" as well as
http://docs.info.apple.com/article.html?artnum=107702
Reply
User profile for user: gh-blue
gh-blue Author
User level: Level 1
5 points

Sep 5, 2007 11:22 PM in response to davidh

Thanks, David, for your kind reply.

The first few commands worked well.
Here's the output of the last command:

srv-01:~ admin$ *sudo sso_util configure -r SRV-01.OFFICE.LAN -a name -p passwd all*
Contacting the directory server
Creating the service list
Creating the service principals
*kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface*
*SendInteractiveCommand: failed to get pattern*

and the alternative:

srv-01:~ admin$ *sudo dsconfigad -enableSSO*
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
...
</dict>
</plist>
Unable to configure service http error = 2
Unable to configure service HTTP error = 2
Cleaning up
Settings changed successfully

... and kerberos is still not running.

/etc/krb5.keytab is missing
/var/db/krb5kdc is missing
/Library/Preferences/edu.mit.Kerberos is present (for the first time - at least a small success!)

Thank you very much.
Further hints are highly appreciated.
Regards,

Georg
Reply
User profile for user: gh-blue
gh-blue Author
User level: Level 1
5 points

Sep 6, 2007 5:31 AM in response to davidh

Thanks again, David, for your help.

srv-01:~ admin$ *cat /Library/Preferences/edu.mit.Kerberos*
# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : Self Generated
# generation_id : 0
[libdefaults]
default_realm = SRV-01.OFFICE.LAN
[realms]
SRV-01.OFFICE.LAN = {
kdc = srv-01.office.lan
admin_server = srv-01.office.lan
}
[domain_realm]
.office.lan = SRV-01.OFFICE.LAN
office.lan = SRV-01.OFFICE.LAN

srv-01:~ admin$ *sudo dscl /LDAPv3/127.0.0.1 -read /Config/KerberosKDC*
read: Invalid Path

Hope this tells you something.
Regards,

Georg
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Sep 6, 2007 8:24 AM in response to gh-blue

Hi

Launch TextEdit and copy and paste the following:

# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
#
#
[libdefaults]
default_realm = SRV-01.OFFICE.LAN
[realms]
SRV-01.OFFICE.LAN = {
kdc = srv-01.office.lan
admin_server = srv-01.office.lan
}
[domain_realm]
office.lan = SRV-01.OFFICE.LAN
.office.lan = SRV-01.OFFICE.LAN

Save it as edu.mit.Kerberos in /Library/Preferences and run David’s commands again. You’ll notice lines 3 and 4 are missing. If all goes well these should be populated with an autogenerated line containing a reference to the LDAP server and its IP address as well as a generated ID number. Your DNS looks good to me although I have seen problems in the past when .lan and .internal were used. If you are still at an early stage it may be advisable to change the hostname and domain to srv-01.office.org or .com or .net. If you have a realworld domain use that.

Tony
Reply
User profile for user: gh-blue
gh-blue Author
User level: Level 1
5 points

Sep 6, 2007 12:00 PM in response to gh-blue

Thanks, Tony, for your advice.

I missed it, however. I've decided to erase the HD and start from scratch again.

After starting DNS, I ran +changeip -checkhostname+ and got an error message this time, although host worked forward and backward. I followed the instructions given by changeip, and when I set up the OD master afterwards, kerberos worked at the first attempt.

Thanks for your hints, I've learnt a lot in this thread!
Regards,

Georg
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Open Directory Master: Kerberos is stopped

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up