|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
Hello all, I am trying to implement an Open Directory/LDAP set up using the "Magic Triangle"/"Cylinder of Destiny" concepts - pulling in users/groups from an Active Directory domain. I diverge a little in that those concepts, the OSX clients perform the merging of the OD/LDAP and AD information whereas I perform the merge at the OD/LDAP server so that I can push out the user info to my clients (a mix of UNIX, Linux and OSX). In testing it works pretty well. However, I seem to get this problem where the Kerberos stops (which seems to coincide with the ticket expiring), and at that point, I can no longer get into the OD Master to modify/manage the LDAP service. I use the AD domain for my Kerberos Realm, so that I can talk back and forth (it even allows the Linux/UNIX clients to change the AD user passwords). When I check the OD, even though Server Admin says Kerberos is stopped, I can see that the services are using the correct AD/Kerberos Realm, and the clients are still correctly gettting all of the info as expected. It's the OD Master where the problem lies, since Kerberos is stopped, I cannot use my diradmin account to get into LDAP. I have checked DNS, and it is running correctly. If I do a klist, there are no tokens. If I run krb5kdc is claims I am already bound to a realm (which is the realm I expect it to be bound to). If I run kinit to get a ticket, nothing changes (as expected klist shows the ticket), and when I log out, it disappears. In the past, I have had to demote the OD Master to a Standalone server,and then repromote it to being an OD Master and rebind to the AD/Kerberos Realm at that point. However, this is not an elegant, production level solution, even if I backup and restore the LDAP database. Is there some way to prod Kerberos back to life? Thanks, Ian _______________________________________________ Do not post admin requests to the list. They will be ignored. Macos-x-server mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
Visit the Apple Store online or at retail locations.
Copyright © 2011 Apple Inc. All rights reserved.