Mr Beardsley
Level 1 (40 points)

Q: How to rebuild the KDC on Lion?

It appears that in Lion server there is no longer a kerberize option for slapconfig.  Has anyone successfully rebuit their KDC on Lion server?  The old directions for Leopad and Snow Leopard http://support.apple.com/kb/HT3655 no longer work.

Posted on Feb 1, 2012 8:17 PM

by DJEMiVT,Solvedanswer
DJEMiVT DJEMiVT
Level 1 (35 points)
A:

I spoke with Enterprise support a few times regarding my Kerberos mess. Apple Enterprise support insists that the only way to rebuild the KDC on Lion is to demote to Stand Alone and re-build the OD Master. They acknowledged that slapconfig -kerberize no longer exists.

Posted on May 8, 2012 1:37 PM

Close
Mr Beardsley

Q: How to rebuild the KDC on Lion?

  • All replies
  • Helpful answers

  • by Drakimor,

    Drakimor Drakimor Apr 19, 2012 8:39 PM in response to Mr Beardsley
    Level 1 (1 points)
    Apr 19, 2012 8:39 PM in response to Mr Beardsley

    Bump... I am having issues doing a rebuild as well and bad kerberos is messing up replication.

  • by DJEMiVT,

    DJEMiVT DJEMiVT Apr 27, 2012 8:18 PM in response to Drakimor
    Level 1 (35 points)
    Apr 27, 2012 8:18 PM in response to Drakimor

    I am also having this issue

  • by davidh,

    davidh davidh Apr 28, 2012 6:00 PM in response to Mr Beardsley
    Level 4 (1,890 points)
    Apr 28, 2012 6:00 PM in response to Mr Beardsley

    Some recommended reference material:

    Kerberos Part 1 - Introduction to Kerberos http://www.afp548.com/article.php?story=20060709175021180

    Kerberos Part 2 - Kerberos on OS X http://www.afp548.com/article.php?story=20060714092117916&query=open+directory

    Kerberos Part 3 - Kerberos On Member Servers http://www.afp548.com/article.php?story=20060724104018616&query=open+directory

     

    In most cases it should be as simple as:


    1. Make a backup. Always make a full backup. Ensure that it's good.
    2. Backup. You did backup right ? Clone your system drive to another volume, it's easy.

     

     

    3. sso_util remove -k -a diradmin -p <diradminpass> -r YOUR.DOMAIN.HERE

    4. kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p <diradminpass> YOUR.DOMAIN.HERE

    5. kdcsetup -a diradmin -p <diradminpass> YOUR.DOMAIN.HERE

    6. slapconfig -kerberize -f diradmin YOUR.DOMAIN.HERE

  • by DJEMiVT,

    DJEMiVT DJEMiVT Apr 28, 2012 9:14 PM in response to davidh
    Level 1 (35 points)
    Apr 28, 2012 9:14 PM in response to davidh

    The problem is that lion does not have the slapconfig -kerberize option.

  • by davidh,

    davidh davidh Apr 29, 2012 5:12 AM in response to DJEMiVT
    Level 4 (1,890 points)
    Apr 29, 2012 5:12 AM in response to DJEMiVT

    Indeed, you're correct. I have not tried this with Lion (haven't needed to), but have re-Kerberized 10.5 and 10.6 servers successfully a few times.

     

    I saw that slapconfig is present in Lion but never imagined they'd remove the -kerberize option.

     

    What we do find in Lion is kerberosautoconfig (man kerberosautoconfig for more).


    From the manpage(s) of kerberosautoconfig:

     

     

    EXAMPLES

         To use kerberosautoconfig and kdcsetup to set up a stock MIT KDC

     

     

         kerberosautoconfig -r REALM.ORG -m myserver.org

     

     

         kdcsetup -w -a administrator -p admin_pass REALM.ORG

     

     

         To use kerberosautoconfig and kdcsetup to set up an Apple KDC as a master with a local open directory master

     

     

         kerberosautoconfig -r REALM.ORG -m myserver.org

     

     

         kdcsetup -f /LDAPv3/127.0.0.1 -w -a administrator -p admin_pass REALM.ORG

  • by Mr Beardsley,

    Mr Beardsley Mr Beardsley Apr 29, 2012 8:58 AM in response to davidh
    Level 1 (40 points)
    Apr 29, 2012 8:58 AM in response to davidh

    Lion doesn't have kerberosautoconfig, and it does not use MIT Kerberos, it uses Heimdal Kerberos.  So things are going to be different between 10.6 and 10.7.

  • by davidh,

    davidh davidh Apr 29, 2012 3:58 PM in response to Mr Beardsley
    Level 4 (1,890 points)
    Apr 29, 2012 3:58 PM in response to Mr Beardsley

    I see that now too. SIGH (over this situation). I captured the man pages for some (what must have been Dev) release of Lion server.

     

    Yes, Lion uses Heimdal vs. MIT Kerberos which has been the cause of some other issues.

     

    Looking on my actual Lion server, I find

    kadmin(8)                - Kerberos administration utility

    kadmin.local(8)          - compatiblity shim for MIT Kerberos kadmin.local

    kadmind(8)               - server for administrative access to Kerberos database

    kdc(8)                   - Kerberos 5 server

    klist(1)                 - list Kerberos credentials

    kpasswd(1)               - Kerberos 5 password changing program

    kpasswdd(8)              - Kerberos 5 password changing server

    krb5.conf(5)             - configuration file for Kerberos 5

    ktutil(8)                - manage Kerberos keytabs

    pam_krb5(8)              - Kerberos 5 PAM module

     

    And nothing pertaining to Kerberos in the new (to Lion) odutil.

     

    This person claims that kerberosautoconfig copied over from Snow Leopard still works.
    Worth a try (after backing up, of course):

     

    http://osxmacolyte.blogspot.com/2012/03/kerberos-client-config-with-od-on-sl.htm l

     

     

    strings /System/Library/PrivateFrameworks/HeimODAdmin.framework/HeimODAdmin

     

    looks interesting, but that binary can't be called directly in the command line - but I don't mean to suggest it's intended to be.

  • by DJEMiVT,

    DJEMiVT DJEMiVT Apr 30, 2012 4:01 PM in response to davidh
    Level 1 (35 points)
    Apr 30, 2012 4:01 PM in response to davidh

    I would gladly test this if I had a snow leopard server. Unfortunately I don't. There is also this file on lion server: /usr/libexec/configureLocalKDC.

     

    This is a perl script and it seems to enable the local SHA key based principal, however it does not get kerberos working with OD as far as I can tell.

     

    I think I'm going to have to export all my users and groups, and re-import them to a new directory. The problem with this is that I will have a new root certificate, which then has to be pushed to all the client computers.

     

    The only other option is to archive from the OD server manager window demote to stand alone, create a new open directory master, and restoring the archive. In testing this changed my realm from domain.com to hostname.domain.com, which is not how it was initially configured, leading to yet another set of issues.

     

    For right now, the server is running without kerberos. I really hope someone can point me in the right direction, since all the options I have now require significant downtime and annoyance to over 100 users.

  • by Mr Beardsley,

    Mr Beardsley Mr Beardsley May 8, 2012 12:15 PM in response to davidh
    Level 1 (40 points)
    May 8, 2012 12:15 PM in response to davidh

    Here is the relevant portion from the logs where Kereberos is initially setup:

     

    2011-08-16 18:44:49 +0000 Configuring Kerberos server, realm is HOSTNAME.EXAMPLE.COM
2011-08-16 18:44:49 +0000 command: /usr/sbin/kdcsetup -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -w -a diradmin -p **** -v 1 HOSTNAME.EXAMPLE.COM
2011-08-16 18:45:06 +0000 Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Kerberos Database
Creating new random master key
Creating Kerberos Admin user
Creating ACL file
Adding kerberos auth authority to admin user
Starting kdc & kadmind
Creating launchd file for kadmind
Adding the new KDC into the KerberosClient config record
Finished
2011-08-16 18:45:06 +0000 command: /usr/sbin/kdcsetup -e
2011-08-16 18:45:06 +0000 command: /usr/sbin/sso_util configure -x -r HOSTNAME.EXAMPLE.COM -f /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi -a diradmin -p **** -v 1 all
2011-08-16 18:45:07 +0000 command: /usr/sbin/mkpassdb -kerberize
2011-08-16 18:45:07 +0000 Updating user records and principals
2011-08-16 18:45:21 +0000 Asking OpenDirectoryConfig to bind to server: 127.0.0.1
2011-08-16 18:45:23 +0000 Attempting to open /LDAPv3/127.0.0.1 node
2011-08-16 18:45:23 +0000 Verified /LDAPv3/127.0.0.1 node is available
2011-08-16 18:45:23 +0000 command: /usr/sbin/sso_util info -r /LDAPv3/127.0.0.1 -p

  • by DJEMiVT,Solvedanswer

    DJEMiVT DJEMiVT May 8, 2012 1:37 PM in response to Mr Beardsley
    Level 1 (35 points)
    May 8, 2012 1:37 PM in response to Mr Beardsley

    I spoke with Enterprise support a few times regarding my Kerberos mess. Apple Enterprise support insists that the only way to rebuild the KDC on Lion is to demote to Stand Alone and re-build the OD Master. They acknowledged that slapconfig -kerberize no longer exists.

  • by DJEMiVT,Helpful

    DJEMiVT DJEMiVT May 8, 2012 1:40 PM in response to DJEMiVT
    Level 1 (35 points)
    May 8, 2012 1:40 PM in response to DJEMiVT

    Also - This bit me hard in the ***: don't change your kerberos realm from the default, FQDN. In our case I changed the realm from HOSTNAME.DOMAIN.TLD to DOMAIN.TLD and it turns out that this is unsupported, and it breaks the server admin archive/restore functionality for OpenDirectory. So if you change your realm, you are on your own. I will be rebuilding my OD master with the default FQDN realm shorty, when I can schedule everyone to reset their passwords. What a PITA...