Kerberos will not start

DNS may resolve, but check out
sudo changeip - checkhostname

to be sure

After that, knowing how, exactly, you set up your server is important info.
Basically, you want to install the Server OS, run the assistant, set the server up in advanced mode as a standalone, and turn on only DNS, Then set up DNS, test DNS, then you can promote it to an OD master. Following those steps, Kerberos should take care of itself.

Jeff

Hi

Are you sure about the time frame? How can the Open Directory been working well for 3 years when Leopard has only been available for just over a year?

Jeff is absolutely correct.

If your server is an upgrade of previous versions of the server rather than a clean install then perhaps that is where the root of the problem lies?

However something has broken LDAP? If you are certain nothing has changed in terms of Server FQDN and IP address then you should be able to archive the LDAP Database (preserves everything) and demote to Standalone. Thoroughly test your DNS Service again and then go for re-promotion. Restore your LDAP database afterwards. Before demotion unshare any share points as well as any automounted directories. Export Users and Groups just in case.

Tony

So your server has a pretty big issue. You want to know how to repair Kerberos from the command line. That's not a simple answer. You could check out
http://www.apple.com/xserve/resources.html

or try the OS X Server mailing list and ask for the kerberos/ldap command line man pages to consult.

macos-x-server@lists.apple.com

Why did you feel the need to bash folks who tried to offer help?

lol, chill out unix guru!

this article may help you:
http://www.netmojo.ca/blog/2008/01/30/tiger-to-leopard-server-migration-part-fou r/

It's got the command-line thingys you like soo much?

@ Jeff & fcghstdfshdf. Thanks guys I appreciate it.

@ CLWolf

+". . . Never said anything about it only being Leopard . . ."+

Are you saying you have multiple OS installed on the same server?

+". . .Major assumption on your part . . ."+

I've made the assumption because you've posted in the 10.5 Forum. For lack of any further details It's a fair assumption to make?

Clearly the Server upgrade did not work out because you are having problems. Why post otherwise?

+". . .LDAP is fine. Kerberos is not working . . ."+

LDAP is not fine if Kerberos is broken. You should know this if you have read any of the relevant material or consulted these forums. There is no magic bullet for a broken LDAP, Kerberos or PasswordService. I have tried to find it as have many others on these forums. Hence the blah blah blah you find so tedious. Perhaps you think we are all stupid? Don't you think some of us on here have tried all the possible methods to try and resurrect a broken OD? Granted it does occasionally work but it's never a lasting solution.

+". . . there should be a fix for kerberos without demoting your server. . ."+

If there is I've yet to find an effective one? You post because you want help? Yet it seems to me it has to be on your terms? That's not really asking for help is it? As already stated experience has taught us the speediest resolution is the advice you've been given. Apple will give you this advice as well. By all means post on the Unix forum but if you've already tried the methods you've stated I can't see where else you can go with it?

Good luck and I'm sorry our advice is of no use to you.

Tony

I for one find your disregard for the assistance provided by some very respected volunteers offensive. People have been trying to solve Kerberos issues since 10.5 server went on sale. The advice given here is distilled from significant hours of trying to solve this problem and represent a solution that will work for the long term. Accept the advice or offer something better. A solution that looks great for the moment may only be a snake waiting to bite if you don't have all the keys in the lock.
Harry

It is certainly possible to fix (a) broken kerberos.

I've done it with 10.4 server on a few occasions. The article linked to above might work for you, but there's some confusion there over the LKDC*. Also be sure to note one of the comments (don't miss it) about "slapconfig -kerberize" ... regardless, proceed with caution and not without a full, known-good backup.

The problem with trying to "walk" someone through something that involved here, is that there are so very many factors that come into play, and far too many openings for a person to either mistakenly - or willfully - leave out critical information.
As well as having to deal with personalities and attitudes in a way that I generally don't abide in my professional work, especially when my highest priority is solving the problem at hand.

This is an item where I've avoided any temptation to post a "tutorial" because there's just too much at stake, and I don't want to encourage anyone to possibly think that every problem has a quick fix.

The number one piece of advice I can give is: never do an upgrade install. I don't, never have and never will if I have any say in the matter. Ah, that's for OS X client 😉
For OS X Server, I simply refuse to do an upgrade install. It's not how it should be done, and my experiences with repairing them (upgrade installs) has only reinforced this over time.
(At one point, if you needed "MCX" (really, MM) for Mac OS 9 clients, you had to upgrade from 10.3 to 10.4 in order to preserve certain items, but that's the only really viable exception).

There are many instances of upgrade installs leading to problems eventually. Sometimes right away, sometimes not until later on.
And so I do a "migration" : back up users and groups, server configurations and non-Apple software and data, verify the target drive, wipe & install, configure, update (with usual caveats), and import data where advisable, otherwise reconfigure from scratch.
Set default passwords for users and require a password change at first login, with appropriate communications to & with the users well in advance.

The next thing you need to know is: You're best off having another box provide DNS for your 10.5 server, prior to installing it. Make sure you've settled on the FQDN to be used, and have another server provide (verified) working forward & reverse lookup for the server about to get the 10.5 install.

Finally, technology is great when it works like it's supposed to. When it doesn't we can all get irascible sometimes. Remember that this forum is user-to-user support, and no-one "owes" anyone anything here, except appropriate civility (and otherwise abide by Apple's terms of use).

Regards,
-- David


* Recommended reading about the LKDC in 10.5:
http://www.dreness.com/blog/archives/42
http://www.dreness.com/wikimedia/index.php?title=LKDC