Getting Kerberos to run in a .local domain

Question

Level 1

9 points

Getting Kerberos to run in a .local domain

Hi all,

I am trying to set up a Mac 10.5.8 Server as an Open Directory Master and utilize Kerberos. Unfortunately, I am running into nothing but problems. I am in a primarily Windows environment that is running a Windows 2003 AD domain. All DNS is handled by the Windows servers. Unfortunately, the AD domain is set up as "domainname.local" and it is not an option to rename it. My Mac server is correctly set up in DNS as "macsrv01.domainname.local". The server was set up as "Advanced Server".

Issuing the “hostname” command returns “macsrv01.domainname.local”.

Issuing “host macsrv01.domainname.local” returns the correct IP address.

Issuing host "ipaddress" returns domain name pointer “macsrv01.domainname.local”.

Issuing “changeip –checkhostname” returns the correct info and "The names match. There is nothing to change."

The problem I am running into is this: When I go to promote the server from "Standalone Server" to "Open Directory Master" I never get prompted to enter a Kerberos realm. I first get asked to create the Master Domain Administrator account. I enter this information and click "Continue". I am then taken to a screen that says: "This server will become an Open Directory Master." This screen also lists:

Name: Directory Administrator
Short Name: diradmin
User ID: 1000
Password: --------

However, there is nothing else on this screen other than the "Continue" button. There is nowhere to enter the Kerberos realm info.

When I click "Continue" I get a new screen saying: "This server has been configured as an Open Directory Master." However, when I check the overview screen, it shows:

LDAP Server is: Running
Password Server is: Running
Kerberos is: Stopped

Also, there is no button to try and start Kerberos.

Does anyone have any suggestions on how I can get Kerberos to start?

I am guessing my problems have to do with the fact I am part of a .local domain. However, I thought I had read that this was no longer supposed to be an issue after Mac Server OS 10.5.5. Has anyone ever gotten Kerberos to start in a .local domain? Any help would be appreciated.

MacBook Pro, Mac OS X (10.6.5)

Posted on Jan 3, 2011 2:04 PM

Reply

Answer 1

Jan 3, 2011 3:04 PM in response to tmcbride67

Hi

If DNS is based around .local (regardless of how well everything resolves) Kerberos won't ever start as this will clash with the Local Key Distribution Centre (LKDC). The information regarding it no longer being an issue is for client workstations in an AD environment. In reality it's still a problem and the advice is to avoid the use of .local whenever possible. Having said that it's possible to make client workstations work fairly reliably in .local AD environments with some tweaking.

When OSX Server is concerned and assuming 'classic' AD-OD Integration - ie: OSX bound to AD Domain and configured to augment Policies from AD with mac-style GPOs - you don't want Kerberos to start. The use of .local in that case is actually beneficial as it's a guarantee the Service won't ever start.

Why would you want OSX Server to provide SSO anyway? If SSO is with AD what would be the point?

Tony

Reply

Answer 2

tmcbride67 Author

Level 1

9 points

Jan 4, 2011 8:50 AM in response to tmcbride67

Hi Antonio,

Thank you for the response. I guess I misunderstood the steps needed for AD/OD integration. I was under the misapprehension that the OD server needed to first be set up for Kerberos SSO before joining the AD domain, and that once it joined the AD domain, AD would then take over SSO from the OD server.

If I understand correctly now, I should first bind the OD server to AD, and then change the OD server from Standalone to "Open Directory Master?" Or should I choose "Connected to a directory server? Once I do this I presume that the OD server will then just pass on any SSO authentication requests to the AD server's Kerberos realm? Is there any way (in Terminal perhaps?) to verify that the OD server has correctly joined the AD server's Kerberos realm?

Reply

Answer 3

Jan 4, 2011 11:22 AM in response to tmcbride67

Hi

You should only have one KDC per Kerberos Realm. Connecting workstations to multiple KDCs can and will cause all sorts of confusion. In 10.4 it was possible to establish a Cross-Realm Trust. This was not a trivial thing to do. I don't see anything regarding this in the 10.6 Documentation so it's more than possible it's not doable anymore? Not certain about 10.5? Perhaps it's something you can explore yourself?

When you use the AD connector it will report back in the OSX Server's Open Directory Service 'Connected to a Directory Server'. This is what the AD plug-in establishes when binding to AD. From there you change the Role (using Server Admin) from 'Connected to a Directory Server' to Open Directory Master. The Server 'knows' it's already connected to a KDC so it has no need to start Kerberos as it's already running elsewhere. It will 'know' what to do in other words. The other parts of Open Directory should start as normal - PasswordServer and LDAP. In a 'classic' AD-OD Integrated environment this is what you want. Kerberos Stopped and the other two Running.

There are a number of ways of verifying if OSX Server and Client have correctly joined the AD Realm. An obvious one is testing if AD Users can log into a Mac Workstation and pull their profile etc. If they can what more do you need?

As I understand it and if you're not interested in any of OSX Services capable of being Kerberized, there's no passing on of any authentication as such. Client workstations are identified, authenticated and authorised directly with AD itself. This is what the AD Connector is 'designed' to do and by default you should see the macs appearing in the Computer Objects Container on AD.

Tony

Reply

Answer 4

tmcbride67 Author

Level 1

9 points

Jan 5, 2011 2:42 PM in response to Antonio Rocco

Hi Tony,

Thanks for all your help. I am at least getting farther than before. I have successfully bound my server to AD and then changed it's role to "Open Directory Master". Password and LDAP server are running and Kerberos is stopped as expected. I am successfully able to log in to the server with AD accounts so that indicates the server is bound to AD properly.

The issue I am running in to now is that I don't seem to be able to successfully bind clients to the OD server. I have a test Mac running OS 10.6.5. I have successfully bound it to AD and am able to log in to it with an AD account. However, when I try to bind it to OD, the workstation name never shows up in Workgroup Manager on the OD server.

To bind the Mac to OD I am performing the following steps on the client:

1. Open the Accounts control panel and go to Login Options.

2. Click the Edit button next to Network Account Server.

3. Click the "+" sign and enter "server.domain.local" in the Server field.

4. When I click "OK" I see a few messages fly by, basically telling me that it is adding the Open Directory Server, but it never prompts me for a User-name and password to bind it to OD.

5. Finally, it finishes and shows my server's name "server.domain.local" with "Open Directory Server" listed under it and a green light to the left of the server name.

I would think this is indicating that the Mac has been bound to OD. However, when I go in to Workgroup Manager on the server and look in the Computers tab, nothing is listed there except "Localhost$". Workgroup Manager shows that I am Authenticated as diradmin to directory:/LDAPv3/127.0.0.1, so I believe I am looking in the right spot.

Any thoughts as to why the Mac workstation is not showing up?

Reply

Answer 5

Jan 5, 2011 3:21 PM in response to tmcbride67

Hi

+". . . when I try to bind to OD the workstation name never shows up in Workgroup Manager on the OD server?"+

Mac workstations joined to Open Directory don't automatically show up in WorkGroup Manager. Unless you specifically enable the option. You have to manually add them to a created Computer List.

+". . . it never prompts me for a User-name and password to bind it to OD?"+

You won't be prompted to authenticate to Open Directory. Unlike Microsoft's Active Directory, Apple's implementation of OpenLDAP allows for anonymous binding. In other words there's no requirement for any user to authenticate any workstation when joining/binding to Open Directory. Not unless you specifically enable the option. In a private - and presumably locked down network environment - there would not be much point IMO.

Binding implies the use of an admin account's credentials. You can't avoid this with Active Directory. Open Directory's 'default' behaviour does not require this as already mentioned. I prefer to use 'join' rather than 'bind' because to me, when OD is concerned - it implies no authentication at all. All you need to know is the Server's fqdn and have administrative access on each workstation.

Tony

Reply

Answer 6

PhDaoust

Level 1

0 points

Feb 9, 2011 7:54 AM in response to Antonio Rocco

Mac workstations joined to Open Directory don't automatically show up in WorkGroup Manager. Unless you specifically enable the option. You have to manually add them to a created Computer List.

Hi, where do I specifically enable the option so the computers add up automatically ? Its a brand new OD I am building over here. I cannot seem to find the option.

Thank you for any tips

Reply

Answer 7

PhDaoust

Level 1

0 points

Feb 9, 2011 8:23 AM in response to PhDaoust

Just found the solution on another post, thanks to Àngel Català

The first step was go into "Server Admin" utility at server side and then to "Open Directory" configuration, "Settings" and finally "Binding". Then select "Enable authenticated directory binding" and optionally "Require authenticated binding between directory and clients".

The second step is go into "Directory Utility" at client side, and go to Services, edit LDAPv3, select your directory server entry and press edit button. Then you go to "Security" label and select "Link with directory", enter Directory Admin Name and Password and push "Link..." button.

Reply