Kerberos-DNS-Maddening

I have validated that DNS is setup properly as per your suggestion and dig returns the correct authoritative information. Forward and reverse lookups all check out and changeip -checkhostname states everything is OK.

The main issue now is that OD will not Kerberize during the process to promote to an OD Master. All information including the Kerberos Realm auto populate during the promotion to OD Master however the Kerberos Realm is stopped. The Kerberos Realm auto populates as the FQDN capitalized. For example:

MYSERVER.MYDOMAIN.COM

I have rebuilt the KDC as per:

HT3655 - Mac OS X Server 10.5: Rebuilding the KDC While Maintaining LDAP and PasswordServer Databases

Still no luck. Any other ideas on why the OD wil not Kerberize?

What do your logs show ? Look through everything available via the Log button when you have selected the Open Directory service.

Check what your domain is listed as in /Library/Preferences/edu.mit.Kerberos

Typically, your FQDN in ALL CAPS -that is standard for Kerberos.
so YOURSERVER.YOURDOMAIN.EDU
for example.

OR, YOURDOMAIN.EDU


also share the result of

dscl /LDAPv3/127.0.0.1 -list /Config/KerberosKDC > KerberosKDC.out; cat KerberosKDC.out

Interesting turn of events. I actually tested the setup on a PowerMac G5 because I was beginning to suspect that this issue was the result of how the Server OS must be installed on the Mac mini (KB article HT3479).

Installing Server 10.5 directly to the PowerMac G5 and using the same config I was using on the Mini resulted in everything working perfectly. The Kerberos issue is directly related to how the Server OS is installed.

At the suggestion of one of an Apple tech I installed and upgraded the Server OS to 10.5.7 on the Mini using Target Disk Mode and an older MacBook Pro. Other than a few remaining startup issues (related to the hardware) I was able to configure the server and promote it succeffully to an OD master.

I am really not 100% comfortable with this install method so I plan on trying the original install method to gather the information you requested. Thanks for your feedback.

10.5 client includes what is called a local KDC or LKDC.
Perhaps that being there from the client install might cause some issue(s).

For more about the LKDC
http://www.dreness.com/blog/archives/42
http://www.dreness.com/wikimedia/index.php?title=LKDC

http://www.afp548.com/article.php?story=20080709091503862

I might try the following but leave OUT the last step:
from http://support.apple.com/kb/TS1245

At the suggestion of one of an Apple tech I installed and upgraded the Server OS to 10.5.7 on the Mini using Target Disk Mode and an older MacBook Pro.

That's the method I used to install on unsupported systems in the past and it does work. Whenever I do one of these I always image the disk prior to proceeding past the basic setup. That way you have a good working backup in case you have to do a 'fresh' install.

Mabel,

Is there any posted documentation on how to cleanup the startup issues when using this method?

Not that I know of. However, when doing one of these setups, always use the same architecture as the target machine. Intel installs to Intel, PPC installs to PPC. When the installer finishes, let it boot the installer machine with the FW target machine's disk and do nothing but the admin account and the network setup -make sure your DNS is setup ahead of time. Don't do any services at this time. Then image the target machine's disk and then boot the target machine on its own disk to finish the setup from that point.

That method can work (and i've used something similar) for specific cases.
However if you any hardware differences, you'll want to know how to clear out the cached info & related extensions for the old hardware that was used to do the install.
Google for the info, it's out there - perhaps also at bombich.com

i was able to start kerberos using the instructions by gerrit dewitt on:
http://discussions.apple.com/message.jspa?messageID=5917575

i demoted my ODM to standalone, and repromoted it to advanced, which did not show the REALM screen, and kerberos was 'stopped'. then i applied these instructions, and pursued them even though i received the 'invalid realm name' message and also at a point (in step c) my diradmin password was asked for and then told that it wasn't recognized. i continued with the instructions anyway, figuring what the heck.
at this point system admin showed kerberos was still stopped.
so i demoted again. and i restarted the server.
then i promoted to ODM and the REALM screen showed up!
now SA reports Kerberos as running.

i'm thinking this is probably all because i'm installing on a mini that has OSX (10.5.7) installed with server on top of that.

a message (which i can't find right now) shows that there is a kerberos installation present on all 10.5.7 client machines (or else how would all of this work), and suggests that is probably to blame for all of the problems people are having with this particular setup.

my dns always tested correct, and the realm screen nor the kerberize button never showed during the promotion to open directory master and i did not get the segmentation fault error during any of the fixes described. i also reinstalled the mini from scratch 3 times but always installing osx first because the mini is newer than my server dvd.

even though kerberos appears to be running now, i don't trust my installation and probably never would, so i'm going to target disk mode install from an intel macbook after wiping the mini. luckily i had no user accounts to protect as this is a new deployment.

a big thanks to everyone who has contributed to these threads. i would have never figured this out on my own, especially since these docs from apple did not work for me, although focused on solving kerberos problems:
http://support.apple.com/kb/HT3479
http://support.apple.com/kb/HT3655

Thank you all for your suggestions and assistance resolving this issue. I have successfully installed the Server OS using the method as outlined in updated article HT3479. I have had a couple of discussions with the Enterprise Support folks at Apple this past week and late Friday afternoon they suggested the steps listed in the updated in the article. Everything installed and works perfectly.

You will need to perform the new steps at the end of the article after you have run through Server Assistant and before you configure DNS and Open Directory. Thanks again

I found that disabling IPv6 also solves a ton of issues related to kerberos.

Really? I use both Kerberos and IPv6 extensively on Mac OS X and haven't seenIpv6 cause any Kerberos related issues.

What issues have you seen with it?

I was having some insane DNS resolution issues. I was using the minimal DNS setup that the server puts together when building a new OD and while kerberos was showing as running, it wasn't working at all. Whenever I tried to do kerberize in the GUI or the command line, it would eventually fail with name resolution issues. Turned off IPv6 and it was fine.

I should note that the airport extreme was set for IPv6 tunneling. Changed it to link-local only it's all good now.