Kerberos issues w/10.5
Has anyone else had difficulty getting kerberos working correctly with 10.5 server? I have a single 10.5.1 OS X Server that is providing file, mail, jabber, and directory services to my small company of 9 employees. The iCal server and network time machine combined with Single Sign On sealed the deal and we ordered an Xserve as soon as 10.5 Server was released. Installation was pretty painless and before too long I had all of the services up and running. After a bit of time, I even had the Debian Etch linux boxes authenticating to the OD server. Once I had all the systems up and running well, I decided to try my hand at kerberos.
Since kerberos was running (Server Admin says it is 😉 ) I went through each of the services one by one and set them to allow kerberos authentication. The first thing I did was fire up the Kerberos app in /System/Library/CoreServices and tried to get a new ticket. So far so good!!!! Then I connected to to an AFP share and voila! Another ticket was generated. I was on a roll. Next I reconfigured my iChat client to connect via kerberos. When I went to connect to the server, I was prompted (again) to accept the self-signed SSL certificate which I accepted. As soon as I accepted it, it prompted me for it again... and again... and again. This repeated until I turned off kerberos in the client. I thought this might be a fluke with ichat, so I went and configured my Mail.app client to use kerberos. The results were exactly the same for both imap and smtp. It doesn't connect via kerberos and it complains in an infinite loop about the SSL certificate. Interestingly enough if you configure the server to not use SSL certificates and try it again, the clients still complain about the non-existent "" certificate. Very strange indeed. I tried this with 4 different computers, using the same applications and different user accounts/combinations all with the same results.
Ok, so at this point, I started looking through the server logs, pouring over the discussion boards, to no avail. Here's an excerpt from kdc.log:
Nov 25 17:25:15 foo.mydomain.com krb5kdc[29436](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::219:e3ff:fee8:12f2: PROCESS_TGS: authtime 0, <unknown client> for xmpp/foo@FOO.MYDOMAIN.COM, Decrypt integrity check failed
Now, I've reconfigured this box about 20 times by playing with kerberosautoconfig, kdcsetup, and sso_util, so this message is just a slight variant of others I "was" getting. Other log entries say "xmpp/foo.local@FOO.MYDOMAIN.COM".
Here's my latest /Library/Preferences/slapconfig.log:
############################################################
2007-11-25 15:12:27 -0800 - slapconfig -createldapmasterandadmin
2007-11-25 15:12:28 -0800 - Creating password server slot
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -a -u diradmin -p -q
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -a -u root -p -q
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -a -u foo.mydomain.com$ -p -q
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -setcomputeraccount 0x474a015c6b8b45670000000400000004
2007-11-25 15:12:28 -0800 - Setting SASL realm to <foo.mydomain.com>
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -setrealm foo.mydomain.com
2007-11-25 15:12:29 -0800 - Copied file from /etc/openldap/slapd.conf to /etc/openldap/slapd.conf.backup.
2007-11-25 15:12:31 -0800 - Starting LDAP server (slapd)
2007-11-25 15:12:31 -0800 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=foo,dc=enable-us,dc=com -w **
2007-11-25 15:12:32 -0800 - command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
2007-11-25 15:12:32 -0800 - slaptest command output:
config file testing succeeded
2007-11-25 15:12:32 -0800 - Stopping LDAP server (slapd)
2007-11-25 15:12:32 -0800 - Starting LDAP server (slapd)
2007-11-25 15:12:32 -0800 - command: /usr/bin/ldapmodify -c -x -D uid=root,cn=users,dc=foo,dc=enable-us,dc=com -w **
2007-11-25 15:12:33 -0800 - Stopping LDAP server (slapd)
2007-11-25 15:12:33 -0800 - Starting LDAP server (slapd)
2007-11-25 15:12:33 -0800 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=foo,dc=enable-us,dc=com -w **
2007-11-25 15:12:33 -0800 - Attempting to open /LDAPv3/127.0.0.1 node
2007-11-25 15:12:33 -0800 - Opened /LDAPv3/127.0.0.1 node
2007-11-25 15:12:34 -0800 - Configuring Kerberos server, realm is FOO.MYDOMAIN.COM
2007-11-25 15:12:34 -0800 - Removed directory at path /var/db/krb5kdc.
2007-11-25 15:12:34 -0800 - command: /sbin/kerberosautoconfig -r FOO.MYDOMAIN.COM -m foo.mydomain.com -u -v 1
2007-11-25 15:12:34 -0800 - command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p ** -v 1 FOO.MYDOMAIN.COM
2007-11-25 15:12:37 -0800 - kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Cannot find primary hostname, falling back to using the first one found
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for diradmin@FOO.MYDOMAIN.COM; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
Adding the new KDC into the KerberosClient config record
Cannot find primary hostname, falling back to using the first one found
Finished
2007-11-25 15:12:37 -0800 - command: /usr/sbin/sso_util configure -x -r FOO.MYDOMAIN.COM -f /LDAPv3/127.0.0.1 -a diradmin -p ** -v 1 all
2007-11-25 15:12:40 -0800 - sso_util command output:
Contacting the directory server
Creating the service list
Cannot find primary hostname, falling back to using the first one found
Creating the service principals
WARNING: no policy specified for cifs/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for ldap/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for xgrid/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for vpn/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for ipp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for xmpp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for XMPP/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for host/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for smtp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for nfs/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for http/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for HTTP/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for pop/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for imap/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for ftp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for afpserver/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
Creating the keytab file
Configuring services
WriteSetupFile: setup file path = /temp.RFrY/setup
2007-11-25 15:12:40 -0800 - command: /sbin/kerberosautoconfig -f /LDAPv3/127.0.0.1 -u -v 1
2007-11-25 15:12:40 -0800 - command: /usr/sbin/mkpassdb -kerberize
2007-11-25 15:12:40 -0800 - mkpassdb command output:
WARNING: no policy specified for foo.mydomain.com$@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for root@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for diradmin@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "diradmin@FOO.MYDOMAIN.COM".
WARNING: no policy specified for disabled-slot-0x1@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for foo.mydomain.com$@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "foo.mydomain.com$@FOO.MYDOMAIN.COM".
WARNING: no policy specified for root@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "root@FOO.MYDOMAIN.COM".
WARNING: no policy specified for diradmin@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "diradmin@FOO.MYDOMAIN.COM".
WARNING: no policy specified for disabled-slot-0x1@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "disabled-slot-0x1@FOO.MYDOMAIN.COM".
2007-11-25 15:12:40 -0800 - command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2007-11-25 15:12:40 -0800 - command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
2007-11-25 15:12:49 -0800 - slapconfig -selfwrite
2007-11-25 15:12:49 -0800 - slapconfig -setldapconfig
2007-11-25 15:12:49 -0800 - command: /usr/sbin/mkpassdb -setreplicationinterval 300 SyncDefault
2007-11-25 15:12:49 -0800 - command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
############################################################
Here's my /Library/Preferences/edu.mit.Kerberos:
FOO.MYDOMAIN.COM = {
admin_server = foo.local
kdc = foo.local
}
[domain_realm]
.local = FOO.MYDOMAIN.COM
local = FOO.MYDOMAIN.COM
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log
############################################################
Something I've noticed is the entries for foo.local although I'm clueless as to how they got there. When I promote the standalone to OD Master, it defaults to FOO.LOCAL. I change it to FOO.MYDOMAIN.COM. The ldap directory is always correct though (dc=foo, dc=enable-us, dc=com).
To recap, I think there's a couple of issues here:
1) Some kerberos services work (AFP) and others don't (xmpp, smtp, imap)
2) My kerberos installation is definitely suspect, although why AFP would work and not others is beyond me.
I believe my DNS servers are working correctly and the hostname does resolve to the ip address I have assigned to the server. It works both forward and reverse. I'm done a lot of different things and tried setting things manually:
############################################################
foo:# slapconfig -kerberize -f diradmin FOO.MYDOMAIN.COM
diradmin's Password: XXXX
Warning: You are bound to another realm, suggest not to kerberize this OD server.
Removed directory at path /var/db/krb5kdc.
command: /sbin/kerberosautoconfig -r FOO.MYDOMAIN.COM -m foo.mydomain.com -u -v 1
command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p ** -v 1 FOO.MYDOMAIN.COM
kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Cannot find primary hostname, falling back to using the first one found
Creating KDC Config File
kdcsetup command failed with status 11
kdcsetup command failed with exit code 11: stdout=(null), error-message=Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Cannot find primary hostname, falling back to using the first one found
Creating KDC Config File
############################################################
What I'm noticing is the error message: "Cannot find primary hostname, falling back to using the first one found". I don't understand what this message means. It shouldn't be DNS related because the box can certainly resolve it's hostname from DNS, both forward and reverse.
############################################################
After I run this, my edu.mit.Kerberos becomes this:
# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : Self Generated
# generation_id :
[libdefaults]
default_realm = FOO.MYDOMAIN.COM
[realms]
FOO.MYDOMAIN.COM = {
admin_server = foo.mydomain.com
kdc = foo.mydomain.com
}
[domain_realm]
.mydomain.com = FOO.MYDOMAIN.COM
mydomain.com = FOO.MYDOMAIN.COM
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log
############################################################
This actually looks like it should, but things still don't work correctly.
Thanks in advance.
Message was edited by: weatherbug
Since kerberos was running (Server Admin says it is 😉 ) I went through each of the services one by one and set them to allow kerberos authentication. The first thing I did was fire up the Kerberos app in /System/Library/CoreServices and tried to get a new ticket. So far so good!!!! Then I connected to to an AFP share and voila! Another ticket was generated. I was on a roll. Next I reconfigured my iChat client to connect via kerberos. When I went to connect to the server, I was prompted (again) to accept the self-signed SSL certificate which I accepted. As soon as I accepted it, it prompted me for it again... and again... and again. This repeated until I turned off kerberos in the client. I thought this might be a fluke with ichat, so I went and configured my Mail.app client to use kerberos. The results were exactly the same for both imap and smtp. It doesn't connect via kerberos and it complains in an infinite loop about the SSL certificate. Interestingly enough if you configure the server to not use SSL certificates and try it again, the clients still complain about the non-existent "" certificate. Very strange indeed. I tried this with 4 different computers, using the same applications and different user accounts/combinations all with the same results.
Ok, so at this point, I started looking through the server logs, pouring over the discussion boards, to no avail. Here's an excerpt from kdc.log:
Nov 25 17:25:15 foo.mydomain.com krb5kdc[29436](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::219:e3ff:fee8:12f2: PROCESS_TGS: authtime 0, <unknown client> for xmpp/foo@FOO.MYDOMAIN.COM, Decrypt integrity check failed
Now, I've reconfigured this box about 20 times by playing with kerberosautoconfig, kdcsetup, and sso_util, so this message is just a slight variant of others I "was" getting. Other log entries say "xmpp/foo.local@FOO.MYDOMAIN.COM".
Here's my latest /Library/Preferences/slapconfig.log:
############################################################
2007-11-25 15:12:27 -0800 - slapconfig -createldapmasterandadmin
2007-11-25 15:12:28 -0800 - Creating password server slot
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -a -u diradmin -p -q
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -a -u root -p -q
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -a -u foo.mydomain.com$ -p -q
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -setcomputeraccount 0x474a015c6b8b45670000000400000004
2007-11-25 15:12:28 -0800 - Setting SASL realm to <foo.mydomain.com>
2007-11-25 15:12:28 -0800 - command: /usr/sbin/mkpassdb -setrealm foo.mydomain.com
2007-11-25 15:12:29 -0800 - Copied file from /etc/openldap/slapd.conf to /etc/openldap/slapd.conf.backup.
2007-11-25 15:12:31 -0800 - Starting LDAP server (slapd)
2007-11-25 15:12:31 -0800 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=foo,dc=enable-us,dc=com -w **
2007-11-25 15:12:32 -0800 - command: /usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
2007-11-25 15:12:32 -0800 - slaptest command output:
config file testing succeeded
2007-11-25 15:12:32 -0800 - Stopping LDAP server (slapd)
2007-11-25 15:12:32 -0800 - Starting LDAP server (slapd)
2007-11-25 15:12:32 -0800 - command: /usr/bin/ldapmodify -c -x -D uid=root,cn=users,dc=foo,dc=enable-us,dc=com -w **
2007-11-25 15:12:33 -0800 - Stopping LDAP server (slapd)
2007-11-25 15:12:33 -0800 - Starting LDAP server (slapd)
2007-11-25 15:12:33 -0800 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=foo,dc=enable-us,dc=com -w **
2007-11-25 15:12:33 -0800 - Attempting to open /LDAPv3/127.0.0.1 node
2007-11-25 15:12:33 -0800 - Opened /LDAPv3/127.0.0.1 node
2007-11-25 15:12:34 -0800 - Configuring Kerberos server, realm is FOO.MYDOMAIN.COM
2007-11-25 15:12:34 -0800 - Removed directory at path /var/db/krb5kdc.
2007-11-25 15:12:34 -0800 - command: /sbin/kerberosautoconfig -r FOO.MYDOMAIN.COM -m foo.mydomain.com -u -v 1
2007-11-25 15:12:34 -0800 - command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p ** -v 1 FOO.MYDOMAIN.COM
2007-11-25 15:12:37 -0800 - kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Cannot find primary hostname, falling back to using the first one found
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for diradmin@FOO.MYDOMAIN.COM; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
Adding the new KDC into the KerberosClient config record
Cannot find primary hostname, falling back to using the first one found
Finished
2007-11-25 15:12:37 -0800 - command: /usr/sbin/sso_util configure -x -r FOO.MYDOMAIN.COM -f /LDAPv3/127.0.0.1 -a diradmin -p ** -v 1 all
2007-11-25 15:12:40 -0800 - sso_util command output:
Contacting the directory server
Creating the service list
Cannot find primary hostname, falling back to using the first one found
Creating the service principals
WARNING: no policy specified for cifs/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for ldap/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for xgrid/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for vpn/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for ipp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for xmpp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for XMPP/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for host/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for smtp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for nfs/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for http/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for HTTP/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for pop/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for imap/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for ftp/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for afpserver/foo.local@FOO.MYDOMAIN.COM; defaulting to no policy
Creating the keytab file
Configuring services
WriteSetupFile: setup file path = /temp.RFrY/setup
2007-11-25 15:12:40 -0800 - command: /sbin/kerberosautoconfig -f /LDAPv3/127.0.0.1 -u -v 1
2007-11-25 15:12:40 -0800 - command: /usr/sbin/mkpassdb -kerberize
2007-11-25 15:12:40 -0800 - mkpassdb command output:
WARNING: no policy specified for foo.mydomain.com$@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for root@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for diradmin@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "diradmin@FOO.MYDOMAIN.COM".
WARNING: no policy specified for disabled-slot-0x1@FOO.MYDOMAIN.COM; defaulting to no policy
WARNING: no policy specified for foo.mydomain.com$@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "foo.mydomain.com$@FOO.MYDOMAIN.COM".
WARNING: no policy specified for root@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "root@FOO.MYDOMAIN.COM".
WARNING: no policy specified for diradmin@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "diradmin@FOO.MYDOMAIN.COM".
WARNING: no policy specified for disabled-slot-0x1@FOO.MYDOMAIN.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "disabled-slot-0x1@FOO.MYDOMAIN.COM".
2007-11-25 15:12:40 -0800 - command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2007-11-25 15:12:40 -0800 - command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
2007-11-25 15:12:49 -0800 - slapconfig -selfwrite
2007-11-25 15:12:49 -0800 - slapconfig -setldapconfig
2007-11-25 15:12:49 -0800 - command: /usr/sbin/mkpassdb -setreplicationinterval 300 SyncDefault
2007-11-25 15:12:49 -0800 - command: /usr/bin/ldapmodify -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
############################################################
Here's my /Library/Preferences/edu.mit.Kerberos:
FOO.MYDOMAIN.COM = {
admin_server = foo.local
kdc = foo.local
}
[domain_realm]
.local = FOO.MYDOMAIN.COM
local = FOO.MYDOMAIN.COM
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log
############################################################
Something I've noticed is the entries for foo.local although I'm clueless as to how they got there. When I promote the standalone to OD Master, it defaults to FOO.LOCAL. I change it to FOO.MYDOMAIN.COM. The ldap directory is always correct though (dc=foo, dc=enable-us, dc=com).
To recap, I think there's a couple of issues here:
1) Some kerberos services work (AFP) and others don't (xmpp, smtp, imap)
2) My kerberos installation is definitely suspect, although why AFP would work and not others is beyond me.
I believe my DNS servers are working correctly and the hostname does resolve to the ip address I have assigned to the server. It works both forward and reverse. I'm done a lot of different things and tried setting things manually:
############################################################
foo:# slapconfig -kerberize -f diradmin FOO.MYDOMAIN.COM
diradmin's Password: XXXX
Warning: You are bound to another realm, suggest not to kerberize this OD server.
Removed directory at path /var/db/krb5kdc.
command: /sbin/kerberosautoconfig -r FOO.MYDOMAIN.COM -m foo.mydomain.com -u -v 1
command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p ** -v 1 FOO.MYDOMAIN.COM
kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Cannot find primary hostname, falling back to using the first one found
Creating KDC Config File
kdcsetup command failed with status 11
kdcsetup command failed with exit code 11: stdout=(null), error-message=Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Cannot find primary hostname, falling back to using the first one found
Creating KDC Config File
############################################################
What I'm noticing is the error message: "Cannot find primary hostname, falling back to using the first one found". I don't understand what this message means. It shouldn't be DNS related because the box can certainly resolve it's hostname from DNS, both forward and reverse.
############################################################
After I run this, my edu.mit.Kerberos becomes this:
# WARNING This file is automatically created, if you wish to make changes
# delete the next two lines
# autogenerated from : Self Generated
# generation_id :
[libdefaults]
default_realm = FOO.MYDOMAIN.COM
[realms]
FOO.MYDOMAIN.COM = {
admin_server = foo.mydomain.com
kdc = foo.mydomain.com
}
[domain_realm]
.mydomain.com = FOO.MYDOMAIN.COM
mydomain.com = FOO.MYDOMAIN.COM
[logging]
admin_server = FILE:/var/log/krb5kdc/kadmin.log
kdc = FILE:/var/log/krb5kdc/kdc.log
############################################################
This actually looks like it should, but things still don't work correctly.
Thanks in advance.
Message was edited by: weatherbug
MacBook Pro, Mac OS X (10.5.1)