Home › Forums › OS X Server and Client Discussion › Open Directory › slapconfig -kerberize fails
- This topic has 18 replies, 4 voices, and was last updated 14 years, 12 months ago by
sramdeen.
-
AuthorPosts
-
March 29, 2009 at 9:07 am #375835
rstasel
ParticipantAll,
I’m beating my head against the wall here. Anytime I try to run slapconfig -kerberize diradmin REALM.EXAMPLE.COM I get:
Warning: You are bound to another realm, please use -f to force kerberization.
So, I add -f, and get:
Warning: You are bound to another realm, suggest not to kerberize this OD server.
Removed directory at path /var/db/krb5kdc.
command: /sbin/kerberosautoconfig -r REALM.EXAMPLE.COM -m server.example.com -u -v 1
command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 REALM.EXAMPLE.COM
kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
kdcsetup command failed with status 11
kdcsetup command failed with exit code 11: stdout=(null), error-message=Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config FileAnd that’s it. No further. I know there are users that don’t have kerberos entries in their accounts (mine is one of them).
Please advise!
March 31, 2009 at 5:20 am #375851rstasel
Participantnope, never.
So, clear our /var/db/krb5kdc, /Library/Preferences/edu.mit.kerberos and /etc/krb5kdc.keytab?
I’m not sure how to clear our the dslocal stuff. Also, one of the sites I found said to clear out the local KDC stuff, but I’m not sure how to find out what that is either.
April 9, 2009 at 9:18 pm #375970rstasel
ParticipantOkay, so I’ve gotten this to go a bit further, but I’m still stuck.
What I had to do was:
rm /var/db/krb5kdc, /etc/krb5kdc.keytab, /Library/Preferences/edu.mit.kerberos, /var/db/dslocal/nodes/Default/config/Kerberos:REALMThen, go into WGM, go into inspector, then config for /LDAPv3/127.0.0.1, and kill the KerberosKDC, and KerberosClient.
That seems to be EVERYTHING related to kerberos.
Then if I run slapconfig -kerberize -f diradmin REALM.NAME.COM, it runs through fine until it gets to mkpassdb -kerberize, where it seems to hang. Yet, I can run mkpassdb -kerberize myself just fine.
Once it hangs at that step, it doesn’t do anything else. Meaning it doesn’t go through and fix the user records that don’t have kerberos authentication entries.
After doing all of the above, with removing kerberos, I also can see the “kerberize” button in SA under Open Directory, but hitting that seems to just run slapconfig -kerberize. It hangs in the same spot.
So, I’m stuck. Does anyone have any suggestions? MacTroll?
btw, this is on a 10.5.6 server. changeip -checkhostname comes back clean. I’ve also tried running through this: [url]http://www.makemacwork.com/manually-restart-kerberos.htm[/url] in order, but the kdcsetup command gives me a “bus error”.
Please advise!
April 9, 2009 at 11:42 pm #375972rstasel
ParticipantSo here’s what I get from the slapconfig -kerberize.
[code]ldap:~ root# slapconfig -kerberize -f diradmin REALM.EXAMPLE.COM
diradmin’s Password:
command: /sbin/kerberosautoconfig -r REALM.EXAMPLE.COM -m server.example.com -u -v 1
command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 REALM.EXAMPLE.COM
kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for [email protected]; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
edu.mit.kadmind: Already loaded
com.apple.kdcmond: Already loaded
Adding the new KDC into the KerberosClient config record
Finished
command: /usr/sbin/sso_util configure -r REALM.EXAMPLE.COM -f /LDAPv3/127.0.0.1 -a diradmin -p **** -v 1 all
sso_util command output:
Contacting the directory server
Creating the service list
Creating the service principals
WARNING: no policy specified for fcsvr/[email protected]; defaulting to no policy
WARNING: no policy specified for pcast/[email protected]; defaulting to no policy
WARNING: no policy specified for vnc/[email protected]; defaulting to no policy
WARNING: no policy specified for cifs/[email protected]; defaulting to no policy
WARNING: no policy specified for ldap/[email protected]; defaulting to no policy
WARNING: no policy specified for xgrid/[email protected]; defaulting to no policy
WARNING: no policy specified for vpn/[email protected]; defaulting to no policy
WARNING: no policy specified for ipp/[email protected]; defaulting to no policy
WARNING: no policy specified for xmpp/[email protected]; defaulting to no policy
WARNING: no policy specified for XMPP/[email protected]; defaulting to no policy
WARNING: no policy specified for host/[email protected]; defaulting to no policy
WARNING: no policy specified for smtp/[email protected]; defaulting to no policy
WARNING: no policy specified for nfs/[email protected]; defaulting to no policy
WARNING: no policy specified for http/[email protected]; defaulting to no policy
WARNING: no policy specified for HTTP/[email protected]; defaulting to no policy
WARNING: no policy specified for pop/[email protected]; defaulting to no policy
WARNING: no policy specified for imap/[email protected]; defaulting to no policy
WARNING: no policy specified for ftp/[email protected]; defaulting to no policy
WARNING: no policy specified for afpserver/[email protected]; defaulting to no policy
Creating the keytab file
Configuring services
WriteSetupFile: setup file path = /temp.oEqc/setupcommand: /sbin/kerberosautoconfig -u -v 1
command: /usr/sbin/mkpassdb -kerberize[/code]And there it stays. Kerberos does seem to be running, and a listprincs in kadmin.local does result in meaningful output. But, I’m still where I started, with many users not having kerberos authentication authority info in their user record, just an ApplePasswordServer record.
Please help.
April 10, 2009 at 3:50 pm #375977rstasel
ParticipantI’m not sure I understand. From what I can see, stuff looks fine in kadmin.local. And running ps aux shows a kdc process running, as well as serveradmin saying kerberos is running.
So, not sure I know what to look for, or how to recognize, if something isn’t working… all I can really tell is mkpassdb -kerberize is stuck when it’s called from slapconfig. If I open up a new terminal, and run mkpassdb -kerberize myself, it works fine, and runs through about 13k worth of passdb entries.
April 10, 2009 at 5:08 pm #375978rstasel
ParticipantI should be more specific. There is a krb5kdc process running with the proper realm, and a kdcmond also running.
I let mkpassdb -kerberize that was called from slapconfig run overnight, and it has still not produced any output. Wish it was just a script so I could go in there and debug it/add some verbosity.
I almost wonder if mkpassdb starts before kerberos has a chance to start up after kdcsetup, etc.
April 10, 2009 at 7:24 pm #375979rstasel
Participantfurther info…
After killing all the files and entries I listed before, I rebooted and noticed kdcmond was still trying to load. So I ran `launchctl unload -w /System/Library/LaunchDaemons/com.apple.kdcmond.plist`. That seemed to fix that. Figuring it might be preventing something with the mkpassdb process from running smoothly.
Nada. Running the command again gives the same problem.
The interesting part is that mkpassdb is running in ps aux, and top shows it using 0.2% cpu. But `fs_usage mkpassdb` shows only a couple entries after running for over 10 minutes… so if it’s doing something, it’s doing it VERY slowly.
April 13, 2009 at 9:05 pm #375987rstasel
Participantleaving the process running over the weekend changed nothing.
I can’t help but think this is a bug in slapconfig, as mkpassdb -kerberize runs fine otherwise.
April 16, 2009 at 9:12 pm #376011rstasel
ParticipantSeemingly, no.
No matter what I try, I keep getting: “Kerberos Login Failed: Client not found in Kerberos database” on the actual OD master machine. The machine is listed in computers in the OD, and has a kerberos entry.
Users with or without the kerberos auth info get the same response.
Thoughts?
April 16, 2009 at 10:29 pm #376012rstasel
Participantokay, correction.
I manually ran mkpassdb -kerberize, and now kerberos works. I can get issued a ticket on an account that has the kerberos authentication info in their user account. A user that does not have that info gets an error :
kinit: Unable to create principal for current user: Unknown Error Code: 118
kinit: Error getting initial tickets: Operation not permittedSo, still having the initial issue.
April 16, 2009 at 10:38 pm #376013rstasel
Participantfurther correction, that error was due to a home folder not mounting correctly. I changed the home folder, and now kinit for a user that’s missing kerberos info in their account works.
Odd. I wouldn’t think this should work…
November 3, 2009 at 8:19 pm #377443macmanjim
ParticipantI’ve reconfigured my kerberos as per:http://www.netmojo.ca/2008/01/30/tiger-to-leopard-server-migration-part-four/
When I get to the command:sso_util configure -r MYREALM.CA -a diradmin -p mypasswd all
I get this error:
Contacting the directory server
/Local/Default
/BSD/local
/LDAPv3/127.0.0.1
Creating the service list
Creating the service principals
kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
The system log shows this:Nov 3 14:06:22 aeaserver ReportCrash[88903]: Formulating crash report for process kdcsetup[88894]
Nov 3 14:06:23 aeaserver ReportCrash[88903]: Saved crashreport to /Library/Logs/CrashReporter/kdcsetup_2009-11-03-140622_aeaserver.crash using uid: 0 gid: 0, euid: 0 egid: 0When I looked in the /var/krb5kdc directory, the principals I created are gone. What hapened?
January 17, 2010 at 11:04 pm #377834rstasel
ParticipantJanuary 18, 2010 at 1:23 am #377835macmanjim
ParticipantI had tried it and it worked initially, but then I started having issues with computers bound to OD. I ended up nuke and repaving whilst upgrading to 10.6.
April 23, 2010 at 3:16 pm #378428sramdeen
ParticipantI also had this same issue on a 10.5.8 server just now. It was hanging at the mkpassdb stage and therefore wasn’t getting onto the actual authauthority creation stage. I tried following the Apple instructions to the letter but it still didn’t work.
What I did instead was temporarily move mkpassdb to mkpassdb.apple and symlink /usr/bin/true to /usr/sbin/mkpassdb.
I ran all of the steps again and it completely successfully. I had a bunch of correct kerb authauthority records in my OD. I then deleted my symlink and ran mkpassdb -kerberize manually.
As a last step I ran sso_util to configure the server for all services and tested it. Worked like a charm! Kerb on the clients is now working a treat.
Hope this might help others in the same situation.
Cheers
Stu
-
AuthorPosts
- You must be logged in to reply to this topic.
Comments are closed