It is common that the configuration process of a Mac OS X Snow Leopard Server 10.6 as an Open Directory Replica for your Open Directory Master comes with some problematic issues: it’s very common that the Kerberos service is not initialized properly and will appear in the ‘Server Admin’ Open Directory’s Overview panel as ‘Kerberos is: Stopped‘.
Googoling about this problem I found that is a fault in the DNS name resolution the most common reason that breaks the configuration of the kerberos service preventing the Open Directory Replica server to be recognized and associated with the proper FQDN (Fully Qualified Domain Name).
The fix to this problem is not complicated but will force us to carefully perform these operations:
- First things first, although this is a recommended option for local domain naming, make sure that your domain name is NOT ending in ‘.local‘.
In Mac OS X by default the ‘.local’ domains are resolved by the Bonjour service, with priority over the DNS service.
I recommend to choose a non public domain name like ‘.private’, ‘.lcl’, ‘.my’, ‘.office’…. and so on. - After that, make sure your DNS is PERFECTLY configured to serve FQDN names (i.e. replica.mynetwork.private.) and that one of this name is fully matching to the replica’s hostname(with the exception of the tail ‘.’ ).
- Also check the DHCP service, if activated, to be delivering the correct search domain and the IP address of the DNS server able to resolve the name of your Open Directory Master and Replica servers.
- Adjust the Replica server’s hostname accordingly to the DNS settings.You can modify the hostname of your replica server with the ‘scutil’ command:
# scutil --set HostName replica.mynetwork.private
- Now decommission the replica server to a standalone directory using the Open Directory Assistant to change the server’s role.
Now the most important operations are done.
Now I recommend a reboot of the system and a double-check of the DNS and hostname configuration using the following commands:
# hostname
The ‘hostname’ command will show the hostname that should appear like the FQDN configured in the DNS service.
# changeip --checkhostname
The ‘changeip’ command will perform a more accurate check on the hostname, using the system calls used by the other system processes and application.
# nslookup replica.mynetwork.private
The ‘nslookup’ command will check that the DNS server is returning the appropriate IP for the requested domain name.
Now it’s time to re-configure the server as a Open Directory Replica, you can use again the Open Directory Assistant. Provide the requested information and when the process is terminated, if you’re lucky enough, the problem will be fixed and the ‘Server Admin’ will show ‘Kerberos is: running‘.
Unfortunately I’ve not been so lucky when I encountered this problem my first time: for my replica server the Kerberos service was still in ‘Stopped’ status.
After a couple of headaches and a lot of wasted time I figured out that one of the main Kerberos’ configuration files ‘/Library/Preferences/edu.mit.Kerberos’ was missing. This was proof that for some reason the ‘kdcsetup’ process hasn’t been executed.
To fix this issue it is necessary to perform the manual procedure to configure and initialize the kerberos process that actually is the last portion of the manual procedure to join a Replica to an existing Open Directory domain, consisting of:
# /usr/sbin/kdcsetup -c /LDAPv3/127.0.0.1 -a diradmin -p -v 1
This command will create the file /Library/Preferences/edu.mit.Kerberos.
# /usr/sbin/kdb5_util -r
The ‘kdb5_util’ will load information from the initial.dump file from the previous step into the REALM.
# kdcsetup -e
The ‘kdcsetup’ command will enable kdcmond and kadmind in the configuration for launchd.
Now the Kerberos services should have been started on the replica server.
Reboot the system to make sure it’s started automatically at the system initialization.
Comments
Powered by Facebook Comments
Tags: changeip, hostname, kdb5_util, kdcsetup, Kerberos, Mac OS X 10.6, nslookup, OD Master, OD Replica, Open Directory, scutil, Snow Leopard, Snow Leopard Server
Thanks a million for posting the solution. Kerberos is now up and running on my replica!
Did you ever try to set up a lion replica for a snow leopard server?
Is this a valid use case for apple?
Hi Ralf,
honestly I haven’t tried.
Still I didn’t have the chance to dig on such information.
As far as I could see the server versions of Lion and Snow Leopard I slight different in the way the manage the service and especially in the quantities of services you can manage from the Server Admin application rather than from the System Preferences.
The support for Windows clients on Lion has been dropped, apparently the samba service has been dropped in favor of a reimplementation of the SMB/CIFS protocol (but still I have to verify if it’s a true reimplementation or if they just reduced the capabilities of the samba service).
I would not be surprised that they have changed the implementation of some core functionality of the Open Directory service. In facts when I upgraded one of my Snow Leopard servers to Lion the whole database has been destroyed and I had to reimport it from a manual backup of the users database.
Because of that I don’t really be leave that Lion could be used as a replica of Snow Leopard in the same way Leopard couldn’t be used as a replica of Snow Leopard (according the the training books for the Apple certifications).
Having this problem on one of my 10.7 Lion Server’s (Replica). Got a ‘success’ on nslookup. Looks like /Library/Preferences/edu.mit.Kerberos file is not necessary in 1o.7.2. At least I don’t see it on my Master OD Server.
Must say there is not much documentation available about Kerberos on Lion.
Super star! worked like a charm, thanks!