Demani
Level 1 (4 points)

Q: Can't login with network users, no local KDC?

10.8.5 is running and there are multiple servers connecting to the OD master. I am trying to set up filesharing on the OD master, but finding that any filesharing login attempt generates the following in the server logs:

 

9/23/14 11:59:17.791 AM kdc[86]: Got a canonicalize request for a LKDC realm from local-ipc

9/23/14 11:59:17.791 AM kdc[86]: Asked for LKDC, but there is none

 

I find docs for 10.5/10.6 server on how to rebuild an KDC without affecting password server/LDAP so there isn't a need to recreate everything, but things are a bit different under 10.8.


Filesharing on a remote OD Slave machine works fine to that machine.

 

Has anyone come across this, and if so what was your solution (right now I'm thing FreeNAS ).

Mac mini, OS X Mountain Lion (10.8.5), running OS X server

Posted on Sep 23, 2014 9:03 AM

Close
Demani

Q: Can't login with network users, no local KDC?

  • All replies
  • Helpful answers

  • by Strontium90,

    Strontium90 Strontium90 Sep 23, 2014 9:28 AM in response to Demani
    Level 5 (4,077 points)
    Servers Enterprise
    Sep 23, 2014 9:28 AM in response to Demani

    Is DNS setup properly so that all the clients are getting DNS?  If so, try connecting to the server using the fully qualified host name.  Use Connect to Server... in the Finder's Go menu.  Then enter the fully qualified hostname.

     

    The likely cause of the error is that you are using just host name which is being expanded to a bonjour name.  So when you connect, your user is being sent as demani@server.local.  However, your OD server should be references as demani@server.domain.tld.

     

    Reid

    Apple Consultants Network

    Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

    Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

  • by Linc Davis,

    Linc Davis Linc Davis Sep 23, 2014 3:18 PM in response to Demani
    Level 10 (207,995 points)
    Applications
    Sep 23, 2014 3:18 PM in response to Demani

    Many Open Directory problems can be resolved by taking the following steps. Test after each one, and back up all data before making any changes.

    1. The OD master must have a static IP address on the local network, not a dynamic address.

    2. You must have a working DNS service, and the server's hostname must match its fully-qualified domain name. To confirm, select the server by name in the sidebar of the Server application window, then select the Overview tab. Click the Edit button on the Host Name line. On the Accessing your Server sheet, Domain Name should be selected. Change the Host Name, if necessary. The server must have at least a three-level name (e.g. "server.yourdomain.com"), and the name must not be in the ".local" top-level domain, which is reserved for Bonjour.

    3. The primary DNS server used by the server must be 127.0.0.1 (that is, itself) unless you're using another server for internal DNS. The only DNS server set on the clients should be the internal one, which they should get from DHCP if applicable.

    4. Follow these instructions to rebuild the Kerberos configuration on the master.

    5. If you use authenticated binding, check the validity of the master's certificate. The common name must match the hostname and domain name. Deselecting and then reselecting the certificate in Server.app has been reported to have an effect in some cases. Otherwise delete all certificates and create new ones.

    6. Unbind and then rebind the clients in the Users & Groups preference pane. Use the fully-qualified domain name of the master.

    7. Reboot the master and the clients.

    8. Don't log in to the server with a network user's account.

    9. Disable any internal firewalls in use, including third-party "security" software.

    10. If you've created any replica servers, delete them.

    11. As a last resort, export all OD users. In the Open Directory pane of Server, delete the OD server. Then recreate it and import the users. Ensure that the UID's are in the 1001+ range.

  • by Demani,

    Demani Demani Sep 26, 2014 12:29 PM in response to Linc Davis
    Level 1 (4 points)
    Sep 26, 2014 12:29 PM in response to Linc Davis

    1–3. Were all done as part of the setup.

    4. Did this, same issue.

    5. No binding, but I created a second cert, I can't delete the original cert since it is in use by OD (so will need to wait until I can take OD down).

    6. No bound clients, this is strictly for Filesharing and OD replication

    7. Done

    8. Logging in as a local admin

    9. None in place, it’s a vanilla 10.8.5 install with the Server application.

    10. I'll need to do this part over the weekend when nobody will be in.

    11. looks like this may need to happen as well. All users are currently in the 1001+ range.

     

    I'll check out the rest this weekend, but this is totally confounding. Under 10.6 this was all much more stable and reliable- it seems it has gotten needlessly complex and fragile since they added the Profile Manager aspects.