Skip to main content

Hey All-



This is a bit off topic, but I've found this list has some of the most helpful Mac IT people I know of.



I'm working on setting up Open Directory in my company for the first time. My goal is to have everyone able to log into their laptops, using cached credentials since they may not be here, and other services with one password. I'd also like to be able to streamline management of users so we don't have to add accounts on numerous different systems.



I've done it back on Leopard, but always in a Golden Triangle scenario. The documentation from Apple seems thorough, yet unhelpful.



Specifically, I'm having problems with Authentication. I've set up an Open Directory Master in my office network, for now. DNS is all pointing to the right thing front and back. Server Admin even shows me that Kerberos is running. Yet when I go to the Settings pane for Open Directory I see a "Kerberize..." button at the bottom alongside an "Add Kerberos Record..." button. Odd, the documentation seems to tell me that the "Kerberize..." button should be gone if Kerberos is running. When I click on the button I get a page showing my Kerberos realm of LEXTECH.COM and asking for authentication. I authenticate as diradmin and the page goes away and comes right back.



I've got a test machine successfully "connected" to the domain. This is where things are a little more fuzzy for me. In Leopard, I would use Directory Util to join a computer to the domain. Now it seems there is an option to "Use a Server" in the system preferences. I've done that, and Login Window shows that I have network accounts available, yet when I try to login the window expands to show the network user icon and then the login window shakes likes a got the password wrong. Here's what the Password Server Log shows:



Mar 28 2011 07:32:00 RSAVALIDATE: success.
Mar 28 2011 07:32:00 AUTH2: {0x4d8d0ef008cddf820000000700000007, testuser1} DHX authentication succeeded.
Mar 28 2011 07:32:01 KERBEROS-LOGIN-CHECK: user {0x4d8d0ef008cddf820000000700000007, testuser1} is in good standing.
Mar 28 2011 07:32:01 KERBEROS-LOGIN-CHECK: user {0x4d8d0ef008cddf820000000700000007, testuser1} authentication succeeded.
Mar 28 2011 07:32:01 GETPOLICY: user {0x4d8d0ef008cddf820000000700000007, testuser1}.
Mar 28 2011 07:32:01 GETPOLICY: user {0x4d8d0ef008cddf820000000700000007, testuser1}.



Something isn't quite adding up here. Does anyone have any experience setting up Open Directory that wouldn't mind either pointing me to some good documentation or giving me some pointers?



Thanks
Ryan

Ryan,



Here are some reasons/solutions you need to check out to make it work. Been a pure OD shop for 4 years now, and I have probably ran into almost half the OD problems out there one can run into.



1) Ensures DNS is running by running `changeip -checkhostname` on your servers



2) Ensure that the client is bound to the ODM or a replica server



3) Ensure that all permissions to the home folder are properly set to allow user access, no home folder, no log in. Even PHDs need access to cache the home folder the first time



4) make sure all time/date is synchronized from client to server since Kerberos is a time sensitive item



Let me know if any of that helps.



-Tom

Thanks a ton Tom, looks like the issue was home directories. It's sad that such a silly issue doesn't actually print any failure messages, just shakes the login window like authentication is failing.



I also didn't notice anything in the documentation about that specifically, even though the home directory is not populated by default in Workgroup Manager.



Anyway, thanks again for the help.



Ryan

Yup, been there done that myself. The first thing I do is log in as a local account, grab a kerberos ticket as a network user, then see if I can mount their share. If it automounts with no passowrd asked, then kerberos is working, if it asks for a password then it is not, and if it won't mount at all, well that is your problem. The documentation is heavily lacking in this area, your best bet is refined google searches, afp548.com or a mailing list.



-Tom

Reply


Terms & ConditionsCookie settings