Home › Forums › OS X Server and Client Discussion › Open Directory › slapconfig -kerberize fails
All,
I’m beating my head against the wall here. Anytime I try to run slapconfig -kerberize diradmin REALM.EXAMPLE.COM I get:
Warning: You are bound to another realm, please use -f to force kerberization.
So, I add -f, and get:
Warning: You are bound to another realm, suggest not to kerberize this OD server.
Removed directory at path /var/db/krb5kdc.
command: /sbin/kerberosautoconfig -r REALM.EXAMPLE.COM -m server.example.com -u -v 1
command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 REALM.EXAMPLE.COM
kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
kdcsetup command failed with status 11
kdcsetup command failed with exit code 11: stdout=(null), error-message=Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
And that’s it. No further. I know there are users that don’t have kerberos entries in their accounts (mine is one of them).
Please advise!
nope, never.
So, clear our /var/db/krb5kdc, /Library/Preferences/edu.mit.kerberos and /etc/krb5kdc.keytab?
I’m not sure how to clear our the dslocal stuff. Also, one of the sites I found said to clear out the local KDC stuff, but I’m not sure how to find out what that is either.
Okay, so I’ve gotten this to go a bit further, but I’m still stuck.
What I had to do was:
rm /var/db/krb5kdc, /etc/krb5kdc.keytab, /Library/Preferences/edu.mit.kerberos, /var/db/dslocal/nodes/Default/config/Kerberos:REALM
Then, go into WGM, go into inspector, then config for /LDAPv3/127.0.0.1, and kill the KerberosKDC, and KerberosClient.
That seems to be EVERYTHING related to kerberos.
Then if I run slapconfig -kerberize -f diradmin REALM.NAME.COM, it runs through fine until it gets to mkpassdb -kerberize, where it seems to hang. Yet, I can run mkpassdb -kerberize myself just fine.
Once it hangs at that step, it doesn’t do anything else. Meaning it doesn’t go through and fix the user records that don’t have kerberos authentication entries.
After doing all of the above, with removing kerberos, I also can see the “kerberize” button in SA under Open Directory, but hitting that seems to just run slapconfig -kerberize. It hangs in the same spot.
So, I’m stuck. Does anyone have any suggestions? MacTroll?
btw, this is on a 10.5.6 server. changeip -checkhostname comes back clean. I’ve also tried running through this: [url]http://www.makemacwork.com/manually-restart-kerberos.htm[/url] in order, but the kdcsetup command gives me a “bus error”.
Please advise!
So here’s what I get from the slapconfig -kerberize.
[code]ldap:~ root# slapconfig -kerberize -f diradmin REALM.EXAMPLE.COM
diradmin’s Password:
command: /sbin/kerberosautoconfig -r REALM.EXAMPLE.COM -m server.example.com -u -v 1
command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 REALM.EXAMPLE.COM
kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for diradmin@REALM.EXAMPLE.COM; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
edu.mit.kadmind: Already loaded
com.apple.kdcmond: Already loaded
Adding the new KDC into the KerberosClient config record
Finished
command: /usr/sbin/sso_util configure -r REALM.EXAMPLE.COM -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 all
sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for fcsvr/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for pcast/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for vnc/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for cifs/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for ldap/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for xgrid/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for vpn/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for ipp/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for xmpp/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for XMPP/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for host/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for smtp/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for nfs/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for http/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for HTTP/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for pop/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for imap/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for ftp/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
WARNING: no policy specified for afpserver/server.example.com@REALM.EXAMPLE.COM; defaulting to no policy
Creating the keytab file
Configuring services
WriteSetupFile: setup file path = /temp.oEqc/setup
command: /sbin/kerberosautoconfig -u -v 1
command: /usr/sbin/mkpassdb -kerberize[/code]
And there it stays. Kerberos does seem to be running, and a listprincs in kadmin.local does result in meaningful output. But, I’m still where I started, with many users not having kerberos authentication authority info in their user record, just an ApplePasswordServer record.
Please help.
I’m not sure I understand. From what I can see, stuff looks fine in kadmin.local. And running ps aux shows a kdc process running, as well as serveradmin saying kerberos is running.
So, not sure I know what to look for, or how to recognize, if something isn’t working… all I can really tell is mkpassdb -kerberize is stuck when it’s called from slapconfig. If I open up a new terminal, and run mkpassdb -kerberize myself, it works fine, and runs through about 13k worth of passdb entries.
I should be more specific. There is a krb5kdc process running with the proper realm, and a kdcmond also running.
I let mkpassdb -kerberize that was called from slapconfig run overnight, and it has still not produced any output. Wish it was just a script so I could go in there and debug it/add some verbosity.
I almost wonder if mkpassdb starts before kerberos has a chance to start up after kdcsetup, etc.
further info…
After killing all the files and entries I listed before, I rebooted and noticed kdcmond was still trying to load. So I ran `launchctl unload -w /System/Library/LaunchDaemons/com.apple.kdcmond.plist`. That seemed to fix that. Figuring it might be preventing something with the mkpassdb process from running smoothly.
Nada. Running the command again gives the same problem.
The interesting part is that mkpassdb is running in ps aux, and top shows it using 0.2% cpu. But `fs_usage mkpassdb` shows only a couple entries after running for over 10 minutes… so if it’s doing something, it’s doing it VERY slowly.
leaving the process running over the weekend changed nothing.
I can’t help but think this is a bug in slapconfig, as mkpassdb -kerberize runs fine otherwise.
Seemingly, no.
No matter what I try, I keep getting: “Kerberos Login Failed: Client not found in Kerberos database” on the actual OD master machine. The machine is listed in computers in the OD, and has a kerberos entry.
Users with or without the kerberos auth info get the same response.
Thoughts?
okay, correction.
I manually ran mkpassdb -kerberize, and now kerberos works. I can get issued a ticket on an account that has the kerberos authentication info in their user account. A user that does not have that info gets an error :
kinit: Unable to create principal for current user: Unknown Error Code: 118
kinit: Error getting initial tickets: Operation not permitted
So, still having the initial issue.
further correction, that error was due to a home folder not mounting correctly. I changed the home folder, and now kinit for a user that’s missing kerberos info in their account works.
Odd. I wouldn’t think this should work…
I’ve reconfigured my kerberos as per:http://www.netmojo.ca/2008/01/30/tiger-to-leopard-server-migration-part-four/
When I get to the command:sso_util configure -r MYREALM.CA -a diradmin -p mypasswd all
I get this error:
Contacting the directory server
/Local/Default
/BSD/local
/LDAPv3/127.0.0.1
Creating the service list
Creating the service principals
kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
The system log shows this:
Nov 3 14:06:22 aeaserver ReportCrash[88903]: Formulating crash report for process kdcsetup[88894]
Nov 3 14:06:23 aeaserver ReportCrash[88903]: Saved crashreport to /Library/Logs/CrashReporter/kdcsetup_2009-11-03-140622_aeaserver.crash using uid: 0 gid: 0, euid: 0 egid: 0
When I looked in the /var/krb5kdc directory, the principals I created are gone. What hapened?
I had tried it and it worked initially, but then I started having issues with computers bound to OD. I ended up nuke and repaving whilst upgrading to 10.6.
I also had this same issue on a 10.5.8 server just now. It was hanging at the mkpassdb stage and therefore wasn’t getting onto the actual authauthority creation stage. I tried following the Apple instructions to the letter but it still didn’t work.
What I did instead was temporarily move mkpassdb to mkpassdb.apple and symlink /usr/bin/true to /usr/sbin/mkpassdb.
I ran all of the steps again and it completely successfully. I had a bunch of correct kerb authauthority records in my OD. I then deleted my symlink and ran mkpassdb -kerberize manually.
As a last step I ran sso_util to configure the server for all services and tested it. Worked like a charm! Kerb on the clients is now working a treat.
Hope this might help others in the same situation.
Cheers
Stu