Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Stopping Kerberos, so I can use AD Kerberos instead

I am trying to stop kerberos so I can bind it to AD Kerberos Realm.

This is the error I am getting:

xxxx:~ admin$ sudo sso_util remove -k -a admin -p xxxx -r xxxx
shutting down kadmind
kadmind shut down
launchctl: Error unloading: edu.mit.kadmind
shutting down kdc
removing KDC from the KerberosClient config record
Contacting the directory server
Bus error

Has anyone ever seen this before?

Thanks!

Mac OS X (10.5.2)

Posted on Mar 12, 2008 11:50 AM

Reply
9 replies

Mar 12, 2008 1:30 PM in response to chantastic

Hi

There should be no need to do this using the command line. You can have an OD master with no Kerberos and using the AD KDC just using the GUI.

Create a DNS entry for the Server using the DNS Snap in module on the AD Server. Make absolutely certain there is a valid Reverse PTR Record for the Server. Place the AD Server's IP address as the primary IP address in the DNS Servers field on the OSX Server's Network Preferences Pane. Switch off IPv6. Make sure the server resolves itself on the forward and reverse lookup zones using the host, nslookup and finally changeip commands.

Bind the Server to the AD first using the Active Directory Plug-in in Directory Utility. Make sure you use an AD account that has authority over the DC.

Now promote to OD Master. When you do this you should only get the option to create the default Directory Administrator account (diradmin UID 1000). There should be no auto-filled Kerberos Realm field or Search base field.

Once the promotion has taken place the Overview pane will show that Kerberos is not running. The Search base will reflect not the AD but the OD instead. The kerberize button should now be available. Again use the same account details you used to bind the server to the AD. In the logs you should see an error message complaining about the KerberosConfigClient. I don't think this is something to worry about. Sometimes the logs are too chatty.

Launch Directory Utility in the Server itself and inspect the LDAPv3 plug-in configuration. You should see an entry for the loopback address. The server should also have placed itself first for Authentication and Contacts.

Bind the clients first to the AD and then to the OD. Make sure you de-select the Authentication and Contacts options for LDAPv3. When applying MCX to your mac clients install the Server Admin tools on a client mac and do it from there using WGM. It tends to work better that way.

Apologies if I'm telling you something you already know.

Hope this helps, Tony

Mar 14, 2008 1:22 PM in response to chantastic

Hi

Actually you doing what you have done has made things a little clearer for me in view of a recent install I did that involved doing exactly what you are doing but using .local for internal DNS Services.

If you got the Kerberos Realm field then you should change it to reflect the AD Domain name. For example if your OD Master's FQDN is odserver.yourdomain.com and your AD Server's FQDN is adserver.yourdomain.com then change the Kerberos field from ODSERVER.YOURDOMAIN.COM to ADSERVER.YOURDOMAIN.COM. Change the Search base field as well to dc=adserver,dc=yourdomain,dc=com. Continue with the promotion by creating the Directory Administrator acccount (diradmin UID 1000) and you should now have an OD Master with no Kerberos and a principal of the Kerberos Realm.

When you click the Kerberize button you need to use an account that exists on the AD that has authority over the AD DC. The same one you used to bind OSX Server to the AD should work. What I have done before in the past with 10.4 Server is to create the diradmin account on the AD Server itself and assign that account authority for the AD Domain. That way the diradmin account can consistently be used for everything to do with both LDAP nodes. The OD one and the AD one.

If you have got to the OD Master promotion bit then demote again, prepare the ground and go for promotion again - you have nothing to lose in terms of users or groups as all of these exist on the AD Server anyway.

Hope this helps, Tony

Mar 18, 2008 12:14 PM in response to chantastic

Hi

You can't edit users that exist in another LDAP Directory. Only an administrator on the other LDAP server locally can do that.

The way this usually works is you augment what is available on the AD with OD MCX for macintosh clients authenticating with AD accounts and mounting AD published home folders.

To that end once you have successfully bound OSX Server to AD and promoted to OD Master with Kerberos stopped you should be able to view all users and groups that exist in the AD node by selecting the Active Directory/All Domains node. You then create a group in the /LDAPv/127.0.0.1 node, drag users or groups from the AD node into the newly created group and apply managed preferences that way.

There is a wealth of information about this available from:

http://www.bombich.com
http://www.macwindows.com
http://afp548.com

Hope this helps, Tony

Stopping Kerberos, so I can use AD Kerberos instead

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.