Probably a stupid question.

**b4tn** · June 17th, 2006, 03:04 AM

I am logging into an an OSX 10.4 ODM with an OSX 10.4 machine

I have Kerberos enabled and and all seems to work but the only way I can access any kind of AFP share is if AFP guest access is turned on. If I disable kerberos authintication AFP works fine if guest access is turned off. Is there a reason I have to have guest access on for Kereros authintication to work?

**Go3iverson** · June 17th, 2006, 11:19 AM

Shouldn't be. Are you sure that Kerberos is working?

On the client, type klist in the Terminal right after logging in. You should have a TGT from the KDC responsible for the network. If you don't, or it is invalid, stop there, that means you have something going on with your KDC itself. If you do, then login to the AFP server. Run klist again and confirm that you have a service ticket from the AFP server. If you don't, again, that could be your issue.

If you don't get that AFP ticket, ssh into the AFP server and run sudo klist -kt to dump out the service principals for the server itself that are stored in the keytab file. If that file is invalid, missing or just generally gunked up, you have an issue.

Michael

**b4tn** · June 17th, 2006, 02:29 PM

This is getting really frustrating! I have never had so much troubles setting up a server before. Granted I know nothing about unix or the mac server environment :lol:

I wanted to check what you said but I delated the user account. I went to create a new one and now I cant create accounts. After authinticating to the LDAp directory all the user controls are greyed out. I cant add remove or change users now.

**Go3iverson** · June 17th, 2006, 04:11 PM

Wow. Ummmm...

Are you authenticated as a directory administrator, which is by default, the shortname diradmin to the directory? After logging in via WGM, look right underneath the button bar to see the directory to which you are authenticated. You may need to go all the way to the right, click the lock and add authenticate as diradmin.

That wasn't the account you deleted, right?

Michael

PS: Out of curiosity, are you setting this up for your own hobby/gratification, or are you doing this professionally for someone?

**b4tn** · June 18th, 2006, 01:01 AM

Something is wrong with the diradmin account. I cant find where this account actually is created either. This is not the first time this has happened. It seems to be related to me joining a windows computer to the directory. Last time I re-installed the server lol. I dont want to re-install again. Basically I can authenticate, the password is accepted, but the create user button is grayed out as well as any other account options. The password reset option is available though. The lock in the corner shows unlocked. Take a look at the log snipit, all in the same second it authenticates then disconnects however the lock stays unlocked.

As for why I am setting up. A little of both, I am a long time mac user but have never worked in a network environment with a mac. All of my work experience is with windows. We are going to be setting up a classroom with an OSX server in the near future at work. I was the only one of the 3 SA's that wanted to touch an apple system. I have a spare G4 sitting at home so I am trying to teach my self through trial and error the ways to set this up.

Jun 18 2006 07:20:41 RSAVALIDATE: success.
Jun 18 2006 07:20:41 AUTH2: {0x00000000000000000000000000000001, diradmin} DHX authentication succeeded.
Jun 18 2006 07:20:41 KERBEROS-LOGIN-CHECK: user {0x00000000000000000000000000000001, diradmin} is in good standing.
Jun 18 2006 07:20:41 QUIT: {no user} disconnected.
Jun 18 2006 07:20:41 KERBEROS-LOGIN-CHECK: user {0x00000000000000000000000000000001, diradmin} authentication succeeded.
Jun 18 2006 07:20:41 QUIT: {no user} disconnected.