Hi again,
Just to wrap up this thread for posterity, the answer is YES, it is
normal for Kerberos to be stopped in this configuration, regardless of
whether the TLD is .local or not.
Unfortunately this information did not make it into the newly updated
Open Directory Administration Guide.
Thanks to all who replied.
/Ian
On Sun, May 25, 2008 at 9:14 PM, Ian Flemming <email@hidden> wrote:
> Ok, I tried putting the OD servers into their own subdomain,
> OD.SCHOOL.LOCAL, but Kerberos still won't start. So I'm guessing that
> it's just not possible to get it working with a .local subdomain. Can
> anyone confirm this for me?
>
> In all other respects, it seems that the servers are working fine.
> Replication appears to be working, and clients are getting their MCX
> settings applied. So is there any reason to worry about Kerberos being
> stopped?
>
> /Ian
>
> On Fri, May 23, 2008 at 7:48 AM, Ian Flemming <email@hidden> wrote:
>> Hi all,
>>
>> I am trying to get some 10.5 OD servers integrated into a Windows AD
>> infrastructure at a school district. There will be an OD master, a
>> replica, and a deployment server. The only services they will provide
>> is NetBoot/NetInstall, SW Update, and MCX.
>>
>> The school's existing AD domain is called SCHOOL.LOCAL, which is
>> obviously not ideal, but cannot be changed.
>>
>> I have added the Leopard servers to the domain in the following manner:
>>
>> 1. Verify DNS forward & reverse (e.g. macserver1.school.local)
>> 2. Install Leopard Server in Advanced config
>> 3. Update to 10.5.2
>> 4. While still in Standalone mode, bind to AD using Directory Utility
>> 5. Change server role to OD master
>>
>> The result appears to be a working AD-OD triangle, in that Mac clients
>> bound to both will get MCX policies applied. I'm also able to add the
>> OD replica without any apparent problems.
>>
>> My concern is that Kerberos is stopped on the OD master. Is this
>> normal for a subordinate directory server? I have read the newly
>> updated Open Directory Admin guide, but it doesn't answer this
>> question. On page 69 it says "The subordinate server automatically
>> determines that it is subordinate to an Active Directory or Open
>> Directory server and configures itself accordingly."
>>
>> Does "accordingly" mean no Kerberos KDC? Or is this a byproduct of a
>> .local AD domain? I have added both school.local and .local to the DNS
>> search policy in Network Preferences but it makes no difference.
>>
>> If this is not normal, is the solution to create a separate DNS domain
>> for the OD servers, and if so could it be OD.SCHOOL.LOCAL? I don't
>> think I can persuade the district's IT department to add another TLD
>> such as .private.
>>
>> Thanks,
>> Ian
>>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
