changing kerberos realm name on macosx 10.4

easiest method...
export users/groups from ldap, demote to standalone, make sure reverse dns is good, promote to OD master, import users/groups, reset all ldap account passwords.

Jeff

Hi

Uptime’s suggestion is correct but the devil is in the detail.

Archive the LDAP Directory and Authentication database. Open Directory > Archive, as well as exporting any Users and Groups in the current LDAP Directory node, you can save passwords by making a backup of Password Server db, although this is not trivial you may find it easier to force users to redefine their passwords using Password Policy in Workgroup Manager. Make a note of any managed preferences that you have although preference property lists are kept in the Users Home folders. Home Folders are not affected and any data in there should be safe. Its a good idea to make a note of the path that is displayed in WorkGroup Manager, you may need it later on. If you want to be ultra careful, back up users home folders.

At this point you should unshare all of your share points.

Now you can either do the next bit before you stop the services or after.

In every service you have configured and started if you go to the Settings tab for those services you’ll notice the property list icon just above the Save button, drag this to the desktop. You can use these to re-configure the Server later on. Its not advisable to use the Open Directory plist. Neither should you use the DNS and DHCP plist if you are planning to change the server name, IP address, address range, FQDN or Kerberos Realm. Demote the Server down to Standalone.

Stop all services. If you need to change the server name, IP address, address range or subnet, do so now either by changing it manually in the Network Preferences pane or by issuing the changeip command in Terminal. Consult the man page if you are not sure for proper usage.

Restart the server. You may have to restart it more than once. Reinstate the property list for your services one by one, starting with AFP, Windows, DHCP, FTP, NetBoot etc, in fact any service that you require that is not wholly dependant on DNS. Reshare any previous share points and test that you can log on by creating a test user in the local directory node.

Thoroughly test the DNS Service after reinstating the property list or if you are creating a new domain name. Make sure that it is resolving correctly before moving on to Open Directory. You will know if DNS is configured correctly because when you promote to Open Directory Master from Standalone the Kerberos Realm and search base fields will be automatically filled in when prompted to create the default Directory Administrator account. THE REALM NAME AND SEARCH BASE FIELD WILL REFLECT THE FQDN OF YOUR SERVER. Configure Mail, Web and Software Update Services later if you want them. Import Users and Groups into the new LDAP Directory node, bear in mind that passwords are not carried over. Re-import the archived directory database if you think you need it and start to relocate home folders to users. Rebind the clients and test thoroughly at every stage.

If you plan this correctly, you should have everything up and running within an hour or two at the most.

hi,
i posted this originaly to a separate thread but then i found this one. it looks like it is what i need except i am still not sure if my setup is not correct.
i also wonder what will happen to my mail if i demote my server and then add the users again as mail is running on that same server ...
here is my original post:
thanks
martin

---
http://discussions.apple.com/thread.jspa?threadID=1062444
---

i am runnng a OD master with mail, web, ichat , windows PDC, DNS on xserve.
i also have a OD replica running backup dns, SDC and web as well.
i was looking to add a .htaccess LDAP authorization file to another os x client machines that runs mediawiki when i realized that the serach base may not be setup correctly. my coleague (who is no longer here) did a clean install of 10.4 server and promoted to OD master after dns was setup and tested, and imported users and mail form the old 10.3.9 server (not sure in which order he did those things)
i do not have any machines binded so the few times i have just tested i had had problems but did not really looked into it as we do not really login to LDAP but with local user accounts. i also have entered manually mail.mydomain.com in the LDAP field and i have been able to successfully login to the OD in the couople of test i have done.
my question is: i am pretty sure dsn was setup correctly before promoting to OD master but i do not know why the serach base did not pick up dc=Mail,dc=mydomain instead of local? from what i read over here i could not tell if the is the correct behavior for os x 10.4 server.
i also wonder if i should change it and if YES, how?
thanks in dadvance.
martin

davidh has actually replied to my original thread ...

What do you do if the search base autofills, but the kerberos realm does not. Does that mean something is set wrong with my campuses dns server! Threw the terminal forward and reverse lookup works with the host command. A few days ago i had both network ports active and swapped the ip address between them and disable the slower one.

http://docs.info.apple.com/article.html?artnum=303697

http://docs.info.apple.com/article.html?artnum=302044