[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Secure Directory Access from Tiger client to Tiger server

Subject: Secure Directory Access from Tiger client to Tiger server
From: Tobias Ernst <email@hidden>
Date: Fri, 26 Aug 2005 23:42:49 +0200
Delivered-to: email@hidden
Delivered-to: email@hidden
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511

Hi!

This sounds like the most trivial task, but I'm not getting anywhere. My goal is to let an OSX client access an OD on an OSX server, with clear-text passwords disabled. Here's what I do:

Server: OSX Server 10.4.2, fresh install, with all security updates
Client: OSX 10.4.2, fresh install, with all security updates

The server is running its local DNS server, which correctly resolves the server's host name to it's IP and back (double-checked!). The server is configured to use 127.0.0.1 as its DNS. Otherwise, the server is using an aggregated network link, i.e. only bond0 is bound to any IP.

So I set up an Open Directory master by using the default settings suggested by Server Admin (they automatically include the correct search DN's etc).

Then I go to the client, use "Directory Access", highlight "LDAPv3", enter the local admin password, click on "show options", click on "New", enter the server's FQDN, hit on "Continue". A new dialog box is opened, and I enter the directory administrator user ID and password.

This procedure works like a charm if I use default settings.

However, as soon as I set any of the security options in Sever Admin, Policy, Binding (like e.g. "Disable clear text passwords", "Digitally sign all packets" and so on), I get an error message about an unexpected error having occured, and the machine cannot bind to the OD.

The server log's do not show any thing useful, only success entries in the password server log.

Aug 26 2005 23:26:33 RSAVALIDATE: success. Aug 26 2005 23:26:33 AUTH2: {0x430f86fc3417653d0000000200000002, diradmin} DHX authentication succeeded. Aug 26 2005 23:26:33 KERBEROS-LOGIN-CHECK: user {0x430f86fc3417653d0000000200000002, diradmin} is in good standing. Aug 26 2005 23:26:33 QUIT: {no user} disconnected. Aug 26 2005 23:26:33 KERBEROS-LOGIN-CHECK: user {0x430f86fc3417653d0000000200000002, diradmin} authentication succeeded. Aug 26 2005 23:26:33 QUIT: {no user} disconnected. Aug 26 2005 23:26:33 QUIT: {0x430f86fc3417653d0000000200000002, diradmin} disconnected.

Otherwise, Kerberos seems to be running just fine - if I don't select any of those security options, the client can bind to the directory, and I can then log in using an OD user entry and experience single sign on (e.g. connect to more server shares using Apple-K without having to repeat my password etc.).

Is there any logical error in my procedure? I already tried reinstall from scratch of both server and client, but to no avail.

This is quite urgent already, and any help will be greatly appreciated.

Regards
Tobias

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

Prev by Date: Re: Mac OS X Server 10.4 and virtual_maps
Next by Date: 2nd ethernet in Xserve G5 wrong ip addy
Previous by thread: Re: backup machine in case of XServe failure
Next by thread: 2nd ethernet in Xserve G5 wrong ip addy
Index(es):
- Date
- Thread

Home