Kerberos-DNS-Maddening

Question

Level 1

6 points

Kerberos-DNS-Maddening

If someone can help I would appreciate it. I'm pulling my hair out at this point.
My Symptoms:
First off DNS seems to be working properly. Every command line test I have given it comes back clean.

Open Directory will not set up Kerberos. First it absolutely would not populate the Kerberos Realm properly. Always giving a server.local argument. I tried every command line fix I could and it would error out each time.

Sooo. Frustrated I started trying different things. Lo and behold if I disable IPv6 in the Network Preference Pane Kerberos will properly auto populate the Realm when moving from stand alone to master. BUT KERBEROS STILL WONT START!
I tried about 3 different command line fixes I found here and on the net. LDAP starts just fine (even with IPv6 on) but Kerberos is always stopped.

I am stumped. I keep going back to DNS but I really cant find anything wrong with it. It works, it resolves front, back, left and right!

If someone has experience with Kerberos please take the time to help me out. I used search but I have not found anyone with my specific symptoms and any of the fixes I have tried do not work.

macpro, Mac OS X (10.5.6)

Posted on Mar 19, 2009 5:39 AM

Reply

Answer 1

Mar 19, 2009 6:34 AM in response to mvasilakis13

Take a look in the following directory:

/var/db/dslocal/nodes/Default/config

Check the file sizes of the Kerberos files in that directory, if any are 0 bytes, delete them. Also read the files and check if the attributes are correct.

Is this server bound to any other directory services?

Reply

Answer 2

mvasilakis13 Author

Level 1

6 points

Mar 19, 2009 7:11 AM in response to Justin Andrews

Is this server bound to any other directory services?

No.

For some reason I can't ssh in now so I will take a look at it tonight when I get home.

Reply

Answer 3

mvasilakis13 Author

Level 1

6 points

Mar 19, 2009 10:14 AM in response to Justin Andrews

Ok. I found out why I couldn't ssh. It was off 🙂

No zero byte files

drwx------ 11 root wheel 374 Mar 19 12:37 .
drwx------ 8 root wheel 272 Mar 18 11:23 ..
-rw------- 1 root wheel 897 Mar 19 00:09 Kerberos:SERVER.DOMAIN.COM..plist
-rw------- 1 root wheel 896 Mar 19 01:03 Kerberos:SERVER.DOMAIN.COM.plist
-rw------- 1 root wheel 888 Mar 19 00:09 Kerberos:DOMAIN.COM.plist
-rw------- 1 root wheel 1649 Mar 18 23:38 KerberosKDC.plist
-rw------- 1 root wheel 1215 Mar 18 11:23 KerverosKDC.plist.BACKUP
-rw------- 1 root wheel 3935 Mar 19 12:37 ServicesInformation.plist
drwx------ 3 root wheel 102 Mar 18 13:50 SharePoints
-rw------- 1 root wheel 255 Mar 19 01:10 SharePoints.plist
-rw------- 1 root wheel 341 Mar 19 01:02 passwordserver.plist

-rw------- 1 root wheel 255 Mar 19 01:10 SharePoints.plist
-rw------- 1 root wheel 341 Mar 19 01:02 passwordserver.plist

I deleted Kerberos:SERVER.DOMAIN.COM..plist and Kerberos:DOMAIN.COM.plist
And I checked KerberosKDC.plist - default_realm is correct SERVER.DOMAIN.COM
Here is a copy of the PLIST FILE (I replaced my actual realm with SERVER.DOMAIN.COM)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>kdcconfigdata</key>
<array>
<string>[libdefaults]
default_realm = SERVER.DOMAIN.COM

[kdcdefaults]
kdc_ports = 88
kdc tcpports = 88

[realms]
SERVER.DOMAIN.COM = {
kadmind_port = 749
max_life = 10h 0m 0s
max renewablelife = 7d 0h 0m 0s
master keytype = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac-md5:normal des-cbc-crc:normal des-cbc-crc:v4
acl_file = /var/db/krb5kdc/kadm5.acl
admin_keytab = /var/db/krb5kdc/kadm5.keytab
database_name = /var/db/krb5kdc/principal.SERVER.DOMAIN.COM
key stashfile = /var/db/krb5kdc/.k5.SERVER.DOMAIN.COM
}
LKDC:SHA1.6B3AFB574C7110687527279601F931BA1EDC1DDF = {
kadmind_port = 749
max_life = 10h 0m 0s
max renewablelife = 7d 0h 0m 0s
master keytype = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac-md5:normal des-cbc-crc:normal des-cbc-crc:v4
acl_file = /var/db/krb5kdc/kadm5.acl
admin_keytab = /var/db/krb5kdc/kadm5.keytab
database_name = /var/db/krb5kdc/principal.LKDC:SHA1.6B3AFB574C7110687527279601F931BA1EDC1DDF
key stashfile = /var/db/krb5kdc/.k5.LKDC:SHA1.6B3AFB574C7110687527279601F931BA1EDC1DDF
}
[logging]
kdc = FILE:/var/log/krb5kdc/kdc.log
admin_server = FILE:/var/log/krb5kdc/kadmin.log
</string>
</array>
<key>name</key>
<array>
<string>KerberosKDC</string>
</array>
<key>realname</key>
<array>
<string>LKDC:SHA1.6B3AFB574C7110687527279601F931BA1EDC1DDF</string>
</array>
</dict>
</plist>

Reply

Answer 4

mvasilakis13 Author

Level 1

6 points

Mar 19, 2009 10:16 AM in response to mvasilakis13

As part of the solutions I have tried I deleted all these files before and had them recreated with slapconfig. Slapconfig failed EVERY time till I turned off IPv6. I don't get it. Where is the disconnect. It has to be somewhere in DNS.

Reply

Answer 5

mvasilakis13 Author

Level 1

6 points

Mar 19, 2009 10:25 AM in response to mvasilakis13

What could be broken in DNS that would cause Kerberos to default to SERVER.local when IPv6 is on but SERVER.DOMAIN.COM when it is off? (AND not bother LDAP either way!!!)

Sorry for all the postings but I want to make sure anyone who reads this understands the symptoms. It's not something I have been able to find a solution for searching google. Or anyone with similar symptoms.

Reply

Answer 6

mvasilakis13 Author

Level 1

6 points

Mar 19, 2009 12:29 PM in response to mvasilakis13

Ok I think I found something:
hostname = server.domain.com

but

host ip = Host ip not found: 3(NXDOMAIN)

Any ideas what this means or how to fix it?

Reply

Answer 7

Mar 19, 2009 12:31 PM in response to mvasilakis13

Have you used changeip to verify the DNS hostname and IP of the actual server?

Reply

Answer 8

mvasilakis13 Author

Level 1

6 points

Mar 19, 2009 12:44 PM in response to mvasilakis13

correction:
host ip 10.0.1.33 yields

Address: 10.0.1.33#53
Aliases:

Host ip not found: 3(NXDOMAIN)

Reply

Answer 9

mvasilakis13 Author

Level 1

6 points

Mar 19, 2009 12:59 PM in response to Justin Andrews

Justin Andrews wrote:
Have you used changeip to verify the DNS hostname and IP of the actual server?

Yes It was the first thing I did after setting up DNS.

Actually the issues above are remedies by typing host 10.0.1.33 I'm tired and I was actually typing "host ip 10.0.1.33"

Reply

Answer 10

foilpan

Level 4

1,385 points

Mar 19, 2009 8:56 PM in response to mvasilakis13

do you have wide area bonjour enabled? try disabling that but not ipv6, and start over.

do you have bonded network interfaces? try the process again with just en0 connected to the lan.

also, what do the logs say?

Reply

Answer 11

Jun 1, 2009 11:07 AM in response to mvasilakis13

did you get anywhere with this? I am having the same problem

Reply

Answer 12

JMANINAZ

Level 1

10 points

Jul 26, 2009 10:25 PM in response to mvasilakis13

A few hours ago I was setting up a new server to replace my old hardware and encountered the exact same problem when attempting to promote the server from standalone to an Open Directory Master. Viewing your post and reading some of the comments jogged my memory that I had run into this issue before when I first setup my server at home in early 2008.

I cannot remember the technical details but my issue was caused by the Airport Extreme that I had between my cable modem and the server and specifically had something to do with Bonjour. If you have a similar configuration please see below.

I resolved this issue a few minutes ago by temporarily reconfiguring my LAN with an old Netgear router (no Bonjour or IPv6 using the exact same subnet configuration I use with my Airport) and rebuilding the server from the ground up. Without the Airport in the mix I was able to properly setup DNS and the Kerberos Realm defaulted to my fully qualified domain name when promoting the server to an Open Directory Master. Once I got past the Open Directory configuration, I removed the Netgear router and replaced it with my Airport Extreme resolving all of my DNS and OD issues and returning my LAN to its original configuration. I hope this helps.

Reply

Answer 13

Jul 29, 2009 6:47 PM in response to mattbodman

i'm having this exact problem. i'm installing on a mac mini newer than the server dvd (both upgraded to 10.5.7), so needed to use this:
http://support.apple.com/kb/HT3479

i did not do the kdc rebuild at the end of the article yet, but i'm looking in that direction.

Reply

Answer 14

JMANINAZ

Level 1

10 points

Jul 30, 2009 9:41 AM in response to Michaela Baldwin

We have the exact same configuration (MacMini 2009 and 10.5 Server) and the exact same issue. When promoting the server to an ODM the service did not Kereberize and the KDC rebuild outlined in the article did not resolve the issue. I am going to build from the ground up once again and hopefully reslve all of the issues. Were you successful in getting Kerberos to run?

Reply

Answer 15

Jul 30, 2009 11:14 AM in response to JMANINAZ

The first thing that you have to do when setting up OS X server is to have a working DNS Setup. It does not have to be on OS X -it could be on Windows, Unix/Linux, whatever- but it has to be able to resolve, both forward and reverse, the IP address and hostname of the server that you are setting up. If it doesn't, then you find yourself in the exact situation that you guys are in now. Fixing DNS, fixes your problem.

Also, if you are setting up a domain to use with an OD server, chose anything else but '.local' for your domain. Net, foo, dog, bone. Anything.

If you are going to use a Mac with a single Ethernet port and intend to host multiple services with different IP addresses and that will depend on Kerberos and OD, only configure the address for the server's primary IP address first then promote to OD/bind to an OD master, then add the interfaces/IP addresses for your other services, then add the Kerberos principals for those services after they are setup and working. Oh, make sure that the hostnames that you chose for those services, resolve both forward and reverse in DNS.

Check your DNS with 'dig' in Terminal.app:
dig odmaster.test.net ; <<>> DiG 9.4.3-P1 <<>> odmaster.test.net ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42931 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;odmaster.test.net. IN A ;; ANSWER SECTION: odmaster.test.net. 28800 IN A 192.168.1.24 ;; AUTHORITY SECTION: test.net. 28800 IN NS ns2.test.net. test.net. 28800 IN NS ns1.test.net. ;; ADDITIONAL SECTION: ns1.test.net. 28800 IN A 192.168.1.254 ns2.test.net. 28800 IN A 192.168.1.253 ;; Query time: 15 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Thu Jul 30 11:01:19 2009 ;; MSG SIZE rcvd: 120 dig -x 192.168.1.24 ; <<>> DiG 9.4.3-P1 <<>> -x 192.168.1.24 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35202 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;24.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 24.1.168.192.in-addr.arpa. 28800 IN PTR odmaster.test.net. ;; AUTHORITY SECTION: 1.168.192.in-addr.arpa. 28800 IN NS ns1.test.net. 1.168.192.in-addr.arpa. 28800 IN NS ns2.test.net. ;; ADDITIONAL SECTION: ns1.test.net. 28800 IN A 192.168.1.254 ns2.test.net. 28800 IN A 192.168.1.253 ;; Query time: 8 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Thu Jul 30 11:01:33 2009 ;; MSG SIZE rcvd: 143
substitute your server hostnames and IPs. If 'dig' doesn't return the correct authoritative information, fix your DNS.

Did I mention that you should choose anything but '.local' as your domain?

Reply