It is common that the configuration process of a Mac OS X Snow Leopard Server 10.6 as an Open Directory Replica for your Open Directory Master comes with some problematic issues: it’s very common that the Kerberos service is not initialized properly and will appear in the ‘Server Admin’ Open Directory’s Overview panel as ‘Kerberos is: Stopped‘.
Googoling about this problem I found that is a fault in the DNS name resolution the most common reason that breaks the configuration of the kerberos service preventing the Open Directory Replica server to be recognized and associated with the proper FQDN (Fully Qualified Domain Name).
The fix to this problem is not complicated but will force us to carefully perform these operations:
- First things first, although this is a recommended option for local domain naming, make sure that your domain name is NOT ending in ‘.local‘.
In Mac OS X by default the ‘.local’ domains are resolved by the Bonjour service, with priority over the DNS service.
I recommend to choose a non public domain name like ‘.private’, ‘.lcl’, ‘.my’, ‘.office’…. and so on. - After that, make sure your DNS is PERFECTLY configured to serve FQDN names (i.e. replica.mynetwork.private.) and that one of this name is fully matching to the replica’s hostname(with the exception of the tail ‘.’ ).
- Also check the DHCP service, if activated, to be delivering the correct search domain and the IP address of the DNS server able to resolve the name of your Open Directory Master and Replica servers.
- Adjust the Replica server’s hostname accordingly to the DNS settings.You can modify the hostname of your replica server with the ‘scutil’ command:
# scutil --set HostName replica.mynetwork.private
- Now decommission the replica server to a standalone directory using the Open Directory Assistant to change the server’s role.
Now the most important operations are done.
Now I recommend a reboot of the system and a double-check of the DNS and hostname configuration using the following commands:
# hostname
The ‘hostname’ command will show the hostname that should appear like the FQDN configured in the DNS service.
# changeip --checkhostname
The ‘changeip’ command will perform a more accurate check on the hostname, using the system calls used by the other system processes and application.
# nslookup replica.mynetwork.private
The ‘nslookup’ command will check that the DNS server is returning the appropriate IP for the requested domain name.
Now it’s time to re-configure the server as a Open Directory Replica, you can use again the Open Directory Assistant. Provide the requested information and when the process is terminated, if you’re lucky enough, the problem will be fixed and the ‘Server Admin’ will show ‘Kerberos is: running‘.
Unfortunately I’ve not been so lucky when I encountered this problem my first time: for my replica server the Kerberos service was still in ‘Stopped’ status.
After a couple of headaches and a lot of wasted time I figured out that one of the main Kerberos’ configuration files ‘/Library/Preferences/edu.mit.Kerberos’ was missing. This was proof that for some reason the ‘kdcsetup’ process hasn’t been executed.
To fix this issue it is necessary to perform the manual procedure to configure and initialize the kerberos process that actually is the last portion of the manual procedure to join a Replica to an existing Open Directory domain, consisting of:
# /usr/sbin/kdcsetup -c /LDAPv3/127.0.0.1 -a diradmin -p -v 1
This command will create the file /Library/Preferences/edu.mit.Kerberos.
# /usr/sbin/kdb5_util -r
The ‘kdb5_util’ will load information from the initial.dump file from the previous step into the REALM.
# kdcsetup -e
The ‘kdcsetup’ command will enable kdcmond and kadmind in the configuration for launchd.
Now the Kerberos services should have been started on the replica server.
Reboot the system to make sure it’s started automatically at the system initialization.
