Can't connect to a directory system

Question

Level 1

0 points

Can't connect to a directory system

I'm working on upgrading all of our OSX Servers from Tiger to Leopard.
Before this happens, I always test new server setups in my test lab.

I'm having a problem in this lab that I cannot figure out. All that I'm trying to do is connect a Leopard server (10.5.2) using 'Connect to a Directory System' to another Leopard server(10.5.2) that is an Open Directory Master.

I can do both forward and reverse lookups on both the servers.
LDAP server, Password Server and Kerberos are all running on the ODM.

I've added the server that I want to connect to the ODM into the computer list of the ODM's Workgroup Manager.

I've created a group of Kerberized Servers with that added computer in WGM.

I've added a Kerberos Record to the ODM which contains:

diradmin for the administrator name
diradmin's password for the administrator password

The fully qualified domain name of the Leopard server that is going to connect to a Directory system

diradmin as the Delegated Administrator.

I don't get an error message and the window disappears after I click add so I'm assuming the record is added.

On the server that is going to connect to the ODM, I open Open Directory Utility and I am able to bind this server to the ODM.

I next click on the Join Kerberos button.

The realm that first appears is LKDC:SHA1.763D1DFF494B476438C
I click on this and choose the Kerberos Realm that I created when I set up the ODM which is marked as (default)

I enter the username of diradmin
I enter diradmin's password for the password.

It tells me I have either an invalid username or password.

I'm pretty sure that the username is correct because if I use another username I get a delegation error that says this administrator has no delegated Kerberos Join authority. But if I go back to the diradmin username it gives me the invalid user name/password error.

Looking at the Password Service Server Log I get an error such as this when I try to join the Kerberos realm:

RSAVALIDATE: success.
AUTH2: {0x47b35e1c6b8b4570000000200000002, diradmin} DHX authentication failed, SASL error -13 (password incorrect).

I've tried destroying the ODM multiple times. Rebooted both servers. Changed the diradmin password. Nothing works.

I'm at a loss for what to do next.

Mac OS X (10.4.10)

Posted on Feb 13, 2008 2:25 PM

Reply

Answer 1

Feb 14, 2008 5:43 AM in response to LG Tech

Hi

Demote to Standalone, stop the DNS Service, Switch off IPv6, blow the zone files away in the DNS Service by deleting them using the GUI. Restart the Server. Now recreate your DNS Zone using the GUI, promote to OD Master and try again.

Hope this helps, Tony

Reply

Answer 2

LG Tech Author

Level 1

0 points

Feb 14, 2008 9:03 AM in response to LG Tech

Hi Tony,

Thanks for the suggestion. I will try that. However, since my last post I tried one thing differently. I made sure AFP was turned on before I created the ODM. Now when I click on the "Jonin Kerberos" on the server I want to connect to the ODM it no longer tells me that my password is invalid. The username and and password screen will sit there for a few seconds and then disappear. Makes me think that it is working. Unfortunately the paragraph above the Join Kereberos button never disappears. It is the paragraph that says it is a client of a directory system but that this server is not currently using Kerberos.

I'm off to try your suggestion.

Reply

Answer 3

LG Tech Author

Level 1

0 points

Feb 14, 2008 10:01 AM in response to LG Tech

Hi Tony,

I tried as you suggested and I don't get the invalid password error. However I still get the paragraph that says it is a client of a directory system but that this server is not currently using Kerberos.

Reply

Answer 4

Feb 14, 2008 10:22 AM in response to LG Tech

Hi

I'm a bit confused as to what it is you are expecting to see as what you are describing sounds right to me. If you launch Directory Utility (/Applications/Utilities) click Advanced followed by Services you should see the plug-ins available. One of them will be LDAPv3. Selecting this should show you which LDAP Server you are connected to. If it shows the correct information for your OD Master then you are connected and everything should be fine.

Launch Workgroup Manager and select the relevant node you are interested in - this would be the ODM node - you may have to browse for it. Select the blue globe and select other. It should show itself in the list. The list of Users & Groups that are on the ODM should now flow in.

Download the Open Directory Admin Manual from:

http://images.apple.com/server/macosx/docs/OpenDirectory_Adminv10.5.pdf

It should provide more information.

Tony

Reply

Answer 5

LG Tech Author

Level 1

0 points

Feb 14, 2008 11:12 AM in response to LG Tech

Hi

On the server that is "Connected to a Directory System" I have opened Directory Utility and successfully bound the server to the ODM.

Below the Open Directory Utility button is a paragraph followed by a Join Kerberos button. The paragraph states the following:

"Your server is a client of the directory system that hosts Kerberos service, but your server is not currently using Kerberos. If the Kerberos administrator has delegated Kerberos join authority to you or another user on your server, you can join the Kerberos server as a client"

Under tiger, when I would click on the Join Kerberos button and enter the diradmin's name and password and clicked ok, the aforementioned paragraph and the Join Kerberos button would disappear. I would be confident that this server was using Kerberos.

Under leopard, when I click on the Join Kerberos button, enter the diramin's credentials, it no longer tells me I have an invalid password, but conversely the Join Kerberos button and the paragraph still remains:

"Your server is a client of the directory system that hosts Kerberos service, but your server is not currently using Kerberos. If the Kerberos administrator has dlegated Kerberos join authority to you or another user on your server, you can join the Kerberos server as a client"

It is frustrating. Is this server using Kerberos? According to that paragraph I'm not. Although when I try to Join Kerberos it does not give me an error.

I also set up a Tiger server in this lab and connected it to my ODM. When I join kerberos with the Tiger server that paragraph and the join Kerberos button disappear. It makes me feel that Kerberos is actually running.

I checked everything you sugguested in your last post. And everything was there. But is this just becuase I'm bound to the odm? How can I be sure that Kerberos is being used on this machine?

Message was edited by: LG Tech

Message was edited by: LG Tech

Message was edited by: LG Tech

Message was edited by: LG Tech

Reply

Answer 6

Feb 14, 2008 2:42 PM in response to LG Tech

Hi

It sounds like you have done everything right and it does seem odd. Perhaps this is normal behaviour in 10.5? Perhaps you've found a glitch?

The way to test this is to configure the AFP Service to use Kerberos on the Member Server and then connect a client first to the Master Server and then to Member Server. The client should only have to provide its credentials once.

The way I've done this before on 10.4 Server - I don't see why it should be any different in 10.5 - is to create a machine record for the second server in the DNS Service on the OD Master. Make sure it resolves correctly, nslookup is a good command line utility to use to do this:

nslookup fqdn

and

nslookup ipaddress

I always test both servers first. On the Member Server I would configure Directory Utility first using the LDAPv3 Plug in and make sure the ODM Master is the first one in the list for authentication and contacts. Create the machine record for the member server on the OD Master (make sure you key in the MAC address of the member server correctly) and then use Server Admin on the member server to Connect to the Directory System. That should be it apart from configuring the AFP Service to use Kerberos on the member server. Test using the method outlined above. There should be no reason to click the Join Kerberos button. Its clear from your posts that you seemed to have done all of this but perhaps in what I've just outlined may reveal a missed step perhaps?

Apologies if you have done all of the above. However to verify if the member server has joined the Kerberos Realm and is delegated to participate in SSO then the test for the client should be proof enough. Issuing:

sudo kadmin.local -q list_principals

on both the ODM and member should show the same information as the member server (if successfully configured) should have access to the same LDAP records as the Master server.

Tony

Reply

Answer 7

Feb 14, 2008 2:44 PM in response to Antonio Rocco

Hi

I should have added . . .

On the client you should be able to inspect tickets received using the Kerberos application (its still in the same place in 10.5). It should have a line starting with krbtgt and a reference to the ODMaster as well as an entry for the afp service referencing the member server.

Tony

Reply

Answer 8

mosx86

Level 1

5 points

Feb 14, 2008 3:41 PM in response to LG Tech

I'm having the same trouble. My ODmaster is 10.5.2, my file-server is also running 10.5.2. I've successfully bound the file-server to the ODmaster, but when I attempt to join the kerberos realm, I'm asked to enter my diradmin user/pass and nothing happens.

DNS is fine. NSLOOKUPS resolve both ways for both the ODmaster and file-server. The file server resides on a different subnet.

Reply

Answer 9

LG Tech Author

Level 1

0 points

Feb 14, 2008 8:52 PM in response to LG Tech

Thanks Tony for all of your advice. It is greatly appreciated. I'll try again tomorrow.

Reply

Answer 10

LG Tech Author

Level 1

0 points

Feb 15, 2008 12:36 PM in response to LG Tech

Hi Tony,

Let tell you what I did.

1. I created a dns record for the odm and member server on the odm
2. Started up dns on odm
3. I made sure both machines resolved correctly on both the member and odm using nslookup
4. Started afp on the odm
5. Configured Open Directory Master on ODM with the administrator diradmin
6. Configured Directory Utility on the member server to bind to odm
7. Made sure odm was the first one in list for authentication/contacts (it was the only one)
8. Added a machine record for the member server on the odm. (Double checked that the MAC address was correct.)
9. Added Kerberos record with the member server's FQDN with diradmin as the admin
10. Went to Connect to the Directory System on the member system. It was already selected.

11. Went into terminal on member server and ran the kadmin.local -q list_principals

It gave me the following output:

Authenticating as principal root/admin@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E with password.
K/M@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
afpserver/LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E@LKDC:SHA1.763D1FDFF 494B476438CF685295A959757D8541E
cifs/LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E@LKDC:SHA1.763D1FDFF494B4 76438CF685295A959757D8541E
kadmin/admin@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
kadmin/changepw@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
kadmin/history@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
kadmin/mail.lgusd.k12.ca.us@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
krbtgt/LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E@LKDC:SHA1.763D1FDFF494 B476438CF685295A959757D8541E
lgadmin@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
root@LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E
vnc/LKDC:SHA1.763D1FDFF494B476438CF685295A959757D8541E@LKDC:SHA1.763D1FDFF494B47 6438CF685295A959757D8541E

12. Went into terminal on the odm and ran the kadmin.local -q list_principals

It gave me the following output:

Authenticating as principal root/admin@ODM.LGUSD.K12.CA.US with password.
HTTP/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
HTTP/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
K/M@ODM.LGUSD.K12.CA.US
XMPP/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
XMPP/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
afpserver/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
afpserver/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
cifs/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
cifs/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
diradmin@ODM.LGUSD.K12.CA.US
ftp/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
ftp/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
host/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
host/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
http/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
http/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
imap/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
imap/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
ipp/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
ipp/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
kadmin/admin@ODM.LGUSD.K12.CA.US
kadmin/changepw@ODM.LGUSD.K12.CA.US
kadmin/history@ODM.LGUSD.K12.CA.US
kadmin/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
krbtgt/ODM.LGUSD.K12.CA.US@ODM.LGUSD.K12.CA.US
ldap/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
ldap/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
nfs/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
nfs/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
odm.lgusd.k12.ca.us$@ODM.LGUSD.K12.CA.US
pop/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
pop/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
root@ODM.LGUSD.K12.CA.US
smtp/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
smtp/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
vpn/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
vpn/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
vpn_fac8cc2a3e12@ODM.LGUSD.K12.CA.US
xgrid/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
xgrid/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
xmpp/mail.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US
xmpp/odm.lgusd.k12.ca.us@ODM.LGUSD.K12.CA.US

Obviously not the same

13. So I clicked on the Join Kerberos button. Changed realm from the LKDC one to ODM.LGUSD.K12.CA.US. Entered diradmin's credential's. It once again says my password is invalid. So I'm back to where I started.

Conclusion:

I hate OS 10.5.2 Server

Reply

Answer 11

nokati

Level 1

0 points

Feb 15, 2008 2:10 PM in response to LG Tech

Same exact issue - I am hating 10.5.2 - is there no clean way to get diradmin access back (without blowing out my users/group via demote/promote)? WGM gives failed login while log reports success:

Feb 15 2008 17:07:06 KERBEROS-LOGIN-CHECK: user {0x47b6030c6b8b45670000000200000002, diradmin} is in good standing.
Feb 15 2008 17:07:06 KERBEROS-LOGIN-CHECK: user {0x47b6030c6b8b45670000000200000002, diradmin} authentication succeeded.
Feb 15 2008 17:07:06 AUTH2: {0x47b6030c6b8b45670000000200000002, diradmin} DHX authentication succeeded.

This issue needs to be fixed ASAP.

Reply

Answer 12

LG Tech Author

Level 1

0 points

Feb 20, 2008 2:34 PM in response to LG Tech

After spending a couple of hours on the phone with an Apple technician we were finally able to verify that I'm not crazy. And with his help I was able to verify that all is well.

The two main things I brought away from the experience was this.

1. When you bind to the ODM you need to bind with the diradmin's credentials. By doing so the machine will automatically end up in the computer list in the ODM's WGM.

2. Even though the Join Kerberos button and paragraph remain after you have clicked the join Kerberos button, the member server is in actuality using kerberos services. The apple tech had the same thing happen to him.

Message was edited by: LG Tech

Reply

Answer 13

wstrucke

Level 1

0 points

Apr 15, 2008 12:58 AM in response to LG Tech

I've been getting the same error trying to get a fresh install of 10.5.2 server to join the kerberos realm in a 10.4.11 open directory master, until I ran the following command on the 10.5.2 server:

sudo kerberosautoconfig -f /LDAPv3/odm ipaddress -r odm_realm -m odm ipaddress

this ran without error. i then returned to server manager on the 10.5.2 box and it also ran the kerberos join command without an error. though the button still appears as per your post, kerberos is working now.

Reply