I moved services from a G5 Xserve to an Intel Xserve (both running
10.4.11 Server). During the process, after promoting the OD Replica
and Windows BDC, I turned to running "changeip" to make the Intel
system's name match the old G5's. Changeip sorta stopped making
visible progress, so I got impatient and pressed Enter several
times. The Enter presses were used in response to requests for
Kerberos authentication, so it seems to have jumped past that part
without doing what it was supposed to do.
I was wavering on whether to do the move over again to "do things
right", but everything, at first glance, was working fine. It turns
out that Kerberos is a little out of whack. If I list the
principals, the ones for the Intel system's temporary name are
there, for example "afpserver/email@hidden
", in addition to the ones for the new host name,
file.math.udel.edu. Now, for the weirdness... When I try to
connect to an AFP (non-guest) share, after doing a successful kinit,
I get a regular password dialogue. After I authenticate, I look at
my kerberos tickets, and it lists the "afpserver" service principal
for the old host name, not the new one:
Valid Starting Expires Service Principal
01/29/08 20:20:46 01/30/08 06:20:46 krbtgt/email@hidden
renew until 02/05/08 20:20:46
01/29/08 20:21:33 01/30/08 06:20:46 afpserver/email@hidden
renew until 02/05/08 20:20:46
I'm not sure how that old host name (host-16-199.nss.udel.edu) is
getting picked up first. I would like to fix the Kerberos setup
manually, if I can instead of resorting to redoing the move again (I
still have the G5 sitting dormant). If anyone has a good idea on
how to fix this, I'm all ears. Thanks in advance for your help.
At this point, it seems that for some reason, the wrong kerberos
service principal is being retrieved for the AFP mount request. What
maps service requests to service principals? Is it safe to remove the
extra (the ones for the old host name) principals from the kerberos
setup without knowing what's doing the mapping? In other words, will
the mapping process freak out if the service principals with the old
host names are gone? I've googled and looked at my kerberos book
(o'reilly), but nothing's jumping out at me. Something in the setup
still thinks that the system has it's old name, and i've looked in all
the obvious places. "changeip -checkhostname" reports the right (new)
hostname. Would running changeip a second time fu things?
-----
- Peter Schwenk
- CITA-3, Systems Administrator
- Mathematical Sciences
- University of Delaware
- schwenk _at_ math _dot_ udel _dot_ edu
- http://www.math.udel.edu/~schwenk
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
