Hello all,
I am trying to implement an Open Directory/LDAP set up using the "Magic Triangle"/"Cylinder
of Destiny" concepts - pulling in users/groups from an Active Directory domain. I diverge a
little in that those concepts, the OSX clients perform the merging of the OD/LDAP and AD
information whereas I perform the merge at the OD/LDAP server so that I can push out the
user info to my clients (a mix of UNIX, Linux and OSX). In testing it works pretty well.
However, I seem to get this problem where the Kerberos stops (which seems to coincide
with the ticket expiring), and at that point, I can no longer get into the OD Master to
modify/manage the LDAP service. I use the AD domain for my Kerberos Realm, so that
I can talk back and forth (it even allows the Linux/UNIX clients to change the AD user
passwords). When I check the OD, even though Server Admin says Kerberos is stopped,
I can see that the services are using the correct AD/Kerberos Realm, and the clients
are still correctly gettting all of the info as expected. It's the OD Master where the problem
lies, since Kerberos is stopped, I cannot use my diradmin account to get into LDAP.
I have checked DNS, and it is running correctly. If I do a klist, there are no tokens.
If I run krb5kdc is claims I am already bound to a realm (which is the realm I expect it
to be bound to). If I run kinit to get a ticket, nothing changes (as expected klist shows the
ticket), and when I log out, it disappears. In the past, I have had to demote the OD Master
to a Standalone server,and then repromote it to being an OD Master and rebind to
the AD/Kerberos Realm at that point. However, this is not an elegant, production level
solution, even if I backup and restore the LDAP database. Is there some way to prod
Kerberos back to life?
Thanks,
Ian
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
