Cant get it working

b4tn

b4tn

Registered
I am at my wits end. I have never tried networking macs and I swear I am going crazy. Over the past few days I have got pretty far but I am stuck now.

This is step by step what I am doing.

Install 10.4 server

when the assistant starts

Disable IPv6

enter my NAT IP, Subnet, Gateway, and the DNS as is the same as the server IP

Check the boxes for the ethernet TCP/IP and appletalk

enable Apple file services

enable Open Directory Master and set password

Somewhere in there I also set the computername and admin password.

Server configures and restarts

After it boots I go to the DNS service set the domain name to ns.domain.com and give it the servers IP

in the machines section I add my powerbooks IP and name and then start the service then reboot.

After reboot I go to the terminal and check the host name just to make sure it is the fully qualified name and it is

Then I do a forward and reverse lookup and they work.

I go back to the Open directory service and everything is running except Kerberos.

I select Kerberize and enter my opendirectory admin name and password.
Kerberos now shows running.

under policy and binding I select enable directory binding and require clients to bind.

I go to my powerbook and under directory access I check ldap and configure enter the domain and OD admin and it binds fine.

I go back to the server and create a mobile user, log in to my power book, and all is well but running klist shows there are no TGT's

I go back to the server check all the boxes under policy and binding

I disjoin the powerbook from the ldap directory and try re-adding it. I get an unexpected error.

From here on out when I authinticate in workgroupmanger as diradmin the create new user icon is greyed out as well as all user settings.

I have wiped the server several times today try several things I found online and the apple knowledge base but nothing works.

What am I doing wrong????

Here are the most recent entries from my logs.

Directory service log looks good

2006-06-18 18:21:06 CEST - Plug-in PasswordServer state is now active.
2006-06-18 18:21:06 CEST - Plugin "PasswordServer", Version "2.1", loaded on demand successfully.
2006-06-18 18:21:44 CEST - Connection:: 192.168.1.3 connected from PID 49491 for 39186559 usec

This error is always here after a fresh install for some reason in the directory service error log. But it only happens once and I never see it again.

2006-06-18 07:48:10 PDT - Attempt #1 to initialize plug-in LDAPv3 failed.
Will retry initialization at most 100 times every 1 second.
2006-06-18 07:48:11 PDT - Network transition in LDAPv3 plugin returned error -14279

kadmin log

Jun 18 18:17:07 localhost kadmind[50](debug): Got signal to request exit
Jun 18 18:17:07 localhost kadmind[50](info): finished, exiting
Jun 18 18:17:40 localhost kadmind[50](info): Seeding random number generator
Jun 18 18:17:40 localhost kadmind[50](info): No dictionary file specified, continuing without one.
Jun 18 18:17:41 localhost kadmind[50](info): starting

KDC log

Jun 18 18:17:51 xx.server.com krb5kdc[168](info): setting up network...
Jun 18 18:17:51 xx.server.com krb5kdc[168](info): skipping unrecognized local address family 16
Jun 18 18:17:51 xx.server.com krb5kdc[168](info): listening on fd 10: udp 200.0.0.5.88
Jun 18 18:17:51 xx.server.com krb5kdc[168](info): set up 1 sockets
Jun 18 18:17:51 xx.server.com krb5kdc[168](info): commencing operation
Jun 18 18:21:16 xx.server.com krb5kdc[168](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.2: ISSUE: authtime 1150647676, etypes {rep=16 tkt=16 ses=16}, diradmin@XX.SERVER.COM for krbtgt/XX.SERVER.COM@XX.SERVER.COM
Jun 18 18:21:16 xx.server.com krb5kdc[168](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.2: UNKNOWN_SERVER: authtime 1150647676, diradmin@XX.SERVER.COM for ldap/xx.server.com@XX.SERVER.COM, Server not found in Kerberos database

LDAP log

Jun 18 18:18:01 ns slapd[52]: <= bdb_equality_candidates: (apple-computers) index_param failed (18)

Jun 18 18:18:01 ns slapd[52]: <= bdb_substring_candidates: (apple-mcxflags) index_param failed (18)

Password Service log

Jun 18 2006 18:21:36 GETPOLICY: user {0x00000000000000000000000000000001, diradmin}, policies: isDisabled=0 isAdminUser=1 newPasswordRequired=0 usingHistory=0 canModifyPasswordforSelf=1 usingExpirationDate=0 usingHardExpirationDate=0 requiresAlpha=0 requiresNumeric=0 expirationDateGMT=4294967295 hardExpireDateGMT=4294967295 maxMinutesUntilChangePassword=0 maxMinutesUntilDisabled=0 maxMinutesOfNonUse=0 maxFailedLoginAttempts=0 minChars=0 maxChars=0 passwordCannotBeName=0 requiresMixedCase=0 notGuessablePattern=0 isSessionKeyAgent=0
Jun 18 2006 18:21:36 QUIT: {no user} disconnected.
Jun 18 2006 18:21:44 QUIT: {no user} disconnected.
Jun 18 2006 18:21:44 QUIT: {0x00000000000000000000000000000001, diradmin} disconnected.

this the entire slapconfig log

2006-06-18 17:13:33 +0200 - slapconfig -createldapmasterandadmin
2006-06-18 17:13:33 +0200 - Creating password server slot
2006-06-18 17:13:33 +0200 - command: /usr/sbin/mkpassdb -u diradmin -p -q
2006-06-18 17:14:04 +0200 - command: /usr/sbin/mkpassdb -a -u root -p -q
2006-06-18 17:14:04 +0200 - command: /usr/sbin/NeST -startpasswordserver
2006-06-18 17:14:06 +0200 - Using generated suffix: dc=ns,dc=biggigx,dc=com
2006-06-18 17:14:37 +0200 - Starting LDAP server (slapd)
2006-06-18 17:14:41 +0200 - command: /usr/bin/ldapadd -c -x -D uid=root,cn=users,dc=xx,dc=server,dc=com -w ****
2006-06-18 17:14:43 +0200 - adding directory admin to local admin group failed with error -14134
2006-06-18 17:15:13 +0200 - Could not resolve hostname xx.server.com
2006-06-18 17:15:13 +0200 - Skipping Kerberos configuration
2006-06-18 17:15:13 +0200 - command: /usr/sbin/vpnaddkeyagentuser -q /LDAPv3/127.0.0.1
2006-06-18 17:23:58 +0200 - slapconfig -kerberize
2006-06-18 17:23:59 +0200 - command: /sbin/kerberosautoconfig -r XX.SERVER.COM -m xx.server.com -u -v 1
2006-06-18 17:23:59 +0200 - command: /usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p **** -v 1 XX.SERVER.COM
2006-06-18 17:24:01 +0200 - kdcsetup command output:
Contacting the Directory Server
Authenticating to the Directory Server
Creating Kerberos directory
Creating KDC Config File
Creating Admin ACL File
Creating Kerberos Master Key
Creating Kerberos Database
Creating Kerberos Admin user
WARNING: no policy specified for diradmin@XX.SERVER.COM; defaulting to no policy
Adding kerberos auth authority to admin user
Creating keytab for the admin tools
Adding KDC & kadmind to launchd
Adding the new KDC into the KerberosClient config record
Finished
2006-06-18 17:24:01 +0200 - command: /usr/sbin/mkpassdb -kerberize
2006-06-18 17:24:01 +0200 - mkpassdb command output:
WARNING: no policy specified for vpn_cdad9ed1a77e@XX.SERVER.COM; defaulting to no policy
WARNING: no policy specified for root@XX.SERVER.COM; defaulting to no policy
WARNING: no policy specified for diradmin@XX.SERVER.COM; defaulting to no policy
add_principal: Principal or policy already exists while creating "diradmin@XX.SERVER.COM".

2006-06-18 17:28:55 +0200 - slapconfig -setmacosxodpolicy
2006-06-18 17:28:55 +0200 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2006-06-18 17:37:36 +0200 - slapconfig -setmacosxodpolicy
2006-06-18 17:37:36 +0200 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2006-06-18 17:52:44 +0200 - slapconfig -setmacosxodpolicy
2006-06-18 17:52:44 +0200 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2006-06-18 17:53:45 +0200 - slapconfig -setmacosxodpolicy
2006-06-18 17:53:45 +0200 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2006-06-18 17:54:30 +0200 - slapconfig -setmacosxodpolicy
2006-06-18 17:54:30 +0200 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2006-06-18 17:55:38 +0200 - slapconfig -setmacosxodpolicy
2006-06-18 17:55:38 +0200 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
2006-06-18 18:10:39 +0200 - slapconfig -setmacosxodpolicy
2006-06-18 18:10:39 +0200 - command: /usr/bin/ldapadd -c -x -H ldapi://%2Fvar%2Frun%2Fldapi
 
Could be bunches of things:

1. Time skew? Use the same NTP for all boxes. Anything more than a couple minutes will fail this.

2. Setup progression. Before building any services, you want to have your DNS *perfect*. Setting it up afterwards in all probability is too late, even if some services appear to be OK.

3. Do you have a valid Kerberos keytab file? sudo klist -kt

4. Turn on directory service debug mode and attempt some of these tasks.

5. Do you have the same search domain specified on the server and client?

6. In a previous thread, we discovered your hostname was improperly set. The hostname/IP, etc is hard written into many configuration files. Look at man changeip for more on that.

Michael
 
Thanks for the help


1. Time skew? Use the same NTP for all boxes. Anything more than a couple minutes will fail this.

Double and tripple checked that. Both the server and the Power book are set to the same time server. I have toyed with the idea of setting the server up as a time server though.

2. Setup progression. Before building any services, you want to have your DNS *perfect*. Setting it up afterwards in all probability is too late, even if some services appear to be OK.

Both forward and reverse lookups seem to be working perfect on both the server and the powerbook. DNS is the first thing I establish before enabling active directory.

3. Do you have a valid Kerberos keytab file? sudo klist -kt

I ran the command and it said

keytab name: FILE:/etc/krb5.keytab
Klist: No such file or directory while starting scan of keytab (null)

4. Turn on directory service debug mode and attempt some of these tasks.

How do you turn on debug mode?

5. Do you have the same search domain specified on the server and client?

DNS is set to the IP of both server and client.

6. In a previous thread, we discovered your hostname was improperly set. The hostname/IP, etc is hard written into many configuration files. Look at man changeip for more on that.

So far as long as I setup the DNS first it when running hostname it always changes to the qualified domain. I did try manually setting in the hosts file using pico though but it didnt seem to make a difference.

Thanks again
 
b4tn said:
3. Do you have a valid Kerberos keytab file? sudo klist -kt

I ran the command and it said

keytab name: FILE:/etc/krb5.keytab
Klist: No such file or directory while starting scan of keytab (null)
Click to expand...

Yeah, that would be a mighty large issue. :) This means that there isn't a single service principal created for your KDC. I would say that since you had KDC issues to begin with, this ultra important file was never created.

Michael
 
Go3iverson said:
Yeah, that would be a mighty large issue. :) This means that there isn't a single service principal created for your KDC. I would say that since you had KDC issues to begin with, this ultra important file was never created.

Michael
Click to expand...

Got it working, and it turned out to be my own bonehead mistake. I knew it was going to be something simple. I forgot to create records for the computers. Once they where created issue was resolved and I was receiving tickets just fine.

I am having a password policy issue though maybe you can shed some light on the subject. If I set the policy to requires new password at logon from either server or account side and try login in the computer logs into the local machine with o ticket or access to server resources. The shows authentication failed. If I go back and uncheck the policy it logs in fine.

Related, Also A few times I have logged in to the machine but got no network access or tickets. I check the log and it says authentication failed. If I go into workgroup manager and reset the password and log back in it works again. Any ideas why the password would just stop authenticating?
 
You must log in or register to reply here.
Back
Top