9 Replies Latest reply: Dec 8, 2009 3:01 AM by Lazken
Lazken Level 1 Level 1

I have an open Directory running, that is kerberized. As of now, that server uses another machine as his DNS server, but I want to move the DNS onto the same machine.
When I change the network system preferences and point the dns to himself, users can't log into their open directory accounts anymore. Passwords get refused,
I've searched high and low in the open directory options but cannot find anything DNS related. What other steps do I need to take in order to switch the DNS?

thanks in advance

Mac pro, Mac OS X (10.5.8)
  • Andbrowny Level 4 Level 4
    Hi Lazken, have a look at pages 8-14 here about setting up and testing your DNS.

  • Lazken Level 1 Level 1
    Hi, thanks for the tip.

    Our DNS was already set up, on the new machine, and is working fine. The only issue we run into is when switching to this new DNS is our Kerberos authentication no longer works.
    Do I need to add a new Kerberos record?
  • Lazken Level 1 Level 1
    I'm thinking it could be a problem in my DNS setup
    my server name's caesar, the domain is mydomain.com

    I have 2 primary zones:

    *caesar:~ admin$ nslookup caesar*

    * server can't find caesar: NXDOMAIN*
    does not work,

    *caesar:~ admin$ nslookup caesar.mydomain.com*

    *Name: caesar.mydomain.com*

    *caesar:~ admin$ nslookup*

    * name = caesar.mydomain.com.*

    the old DNS server is still running on the old server, "Idefix" at,
    where the opendirectory and kerberos and mail used to run. Those things have been migrated to caesar.
    The idea is to have the DNS service also moved to caesar.

    Kerberos was first configured/initialized with idefix as DNS.

    point of intrest maybe, on the old dns server(idefix) nslookup gives the same results as the new one.
  • Lazken Level 1 Level 1
    perhaps also good to know is that for the mail, I have to add aliases in Open directory manager for each user as username@mydomain.com or their email adress is username@caesar.mydomain.com as this is annoying, I figured the problem lied with the DNS, noticed it was still running off the old server, tried to change it, noticed all kerberos authentication failing.
  • Andbrowny Level 4 Level 4
    Hi Lazken, I suspect your issues are more than DNS but also with your OD setup.
    What do you get if you type
    sudo changeip -checkhostname 
    in the terminal?
    if everything is ok you should get something like

    Primary address =

    Current HostName = server.domain
    DNS HostName = server.domain

    The names match. There is nothing to change.

    How was the migration from idefix to caesar done?

  • Lazken Level 1 Level 1
    that's exactly when checkhostname does,

    I had it working for a bit, everything was running smooth, even with idefix offline.

    Today, I needed to add some DNS records, for some internal servers

    I added a primary zone randomdomain.com
    and added a machine to that with the appropriate ip. This was however not a solution to the issue I was facing. I also added a line to the /etc/hosts file.
    I then deleted that line again, and also removed the newly created zone.
    Since these changes to the DNS, kerberos is failing once again. I changed the DNS back to idefix for now, but Im going to need to solve this.

    How can just editing your DNS zones result in kerberos going loony?

    thanks in advance for the effort!

  • Leif Carlsson Level 5 Level 5
    Did you enter your domain in the Network prefpane search domain field?

    When you add new domains in DNS GUI make sure the reverse IP still points to the main domain/host name.
  • Lazken Level 1 Level 1
    search domain is still ok, reverse IP's are also still ok.

    I do have timemachine running. But I can only get it to work on mail client and finder, is there a way to get it to work on service settings?
    If not, what files should I get to get my DNS service settings back to the pre-changing state?
  • Lazken Level 1 Level 1
    Found it, There seemed to be a double record in the reverse DNS, deleted one of them, now everyhing is running smooth again! Thanks for the help everyone.