Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Adding Principals for my Replica

Thought I'd post you all a quick update.
SSO is now working on both replicas in London and New York, SSO is also working on the Mail Server in London (AFP and SSH) but I just can't get Mail services to authenticate correctly.  I can use Kerberos/SSO for AFP and SSH services on NY and the Mail server but not Mail services.

I managed to resolve the problem of SSO not working on my replicas by adding the replica principals.  Basically the principals for my ODM should have looked like this:

HTTP/email@hidden
HTTP/email@hidden
HTTP/email@hidden
K/email@hidden
XMPP/email@hidden
XMPP/email@hidden
XMPP/email@hidden
afpserver/email@hidden
afpserver/email@hidden
afpserver/email@hidden

Mine used to look similar but only held one principal for each service for the ODM (server.mydomain.com).

I added the principals by logging into kadmin.local.

kadmin.local > addprinc -randkey afpserver/email@hidden

and then to update the keytab
kdamin.local > ktadd afpserver/email@hidden

I did this for every principal on both replicas and then it just worked!!

I then had to add the afp principal to AFP on the NY server:

serveradmin settings afp:kerberosPrincipal = "afpserver/email@hidden"

I think there are problems with the ODM as I shouldn't have to do this in the first place.  However, when I finally upgrade to 10.5 I'll start from scratch and hand enter all of the users.

Only one question if you can help.  Why can't I use GSSAPI authentication on Mail services?

On 6 Jun 2007, at 13:24, Huw Jenkins wrote:

I am trying to add the afp principal to my master for Kerberos to authenticate using AFP on my replica. The replica doesn't seem to have generated the prinicpals as expected during the initial replication process.

So I guess that I do this by:

kadmin.local -q afpserver/email@hidden

where, server.mydomain.com is my ODM and nyc.mydomain.com is my replica.

If so is this all I need to do? Might it harm my healthy ODM? Will this replicate over to my replica during the next replication update?

This is a current snipit from my ODM Principals which look the same on my master:

afpserver/email@hidden

Also, I can't login as kadmin.  when I try I get:

Authenticating as principal root/email@hidden with password.
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface

However, I can login as kadmin.local

Perhaps this gives a clue to my initial problem with the replication not generating the expected principals?

Kind regards,
Huw.




-- 
Huw Jenkins 
head of technology 

50 Brook Green  London  W6 7BJ  
T  +44 (0)20 7603 8666  F  +44 (0)20 7605 1888
D  +44 (0)20 7605 1897
www.pearlfisher.com 
 
This email is intended for the named recipient only. If that’s not you, please let us know if we’ve made a mistake, then delete the message.  At Pearlfisher, we do what we can to make sure our emails are virus-free, but we recommend you make your own checks too. And if you plan to send us confidential information, remember that email is never 100% secure.



 

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >Adding Principals for my Replica (From: Huw Jenkins <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.