Technology
From the Trenches

Tiger to Leopard Server Migration, Part Four

Posted on Wednesday, January 30th, 2008 at 03:33 MST by Brent Kearney

Kerberos and Single Sign-on in Leopard Server

espressosjeemz.jpg It has been awhile since my last post of this series — sorry to keep you waiting. Kerberos on Mac OS X Server is a finicky thing, and it took me this long to get it working! Well, I did take a 3 week vacation, and was busy with other projects for at least 2 weeks … but it was a major pain in the ass to set up, and I’m not yet entirely satisfied.

To get straight to the point, the following procedure got kerberos with single sign-on up and running for me. Hopefully it will work for you too.

1. Make sure that DNS is properly configured

You need to make absolutely certain that your DNS is properly configured. There is a lot of info out there on the web about this. Run ‘hostname’ at the command line — it should spit out your fully qualified domain name (FQDN), which is the name of your host plus the domain name. i.e., leopardserver.netmojo.ca. Your domain name by itself is not a FQDN.

Run ‘host your-servername‘ on the command line. It should tell you your IP address. Then do the reverse: run ‘host your-ipaddress. This should give you your-ipaddress-backwards.in-addr.arpa domain name pointer your-full-hostname.

This wasn’t a problem for me, but apparently some people can’t get this to work, and this solves the problem: add “your-ip-address your-FQDN” to the bottom of the /etc/hosts file, so that /etc/hosts looks like:


127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
123.456.789.111 leopardserver.netmojo.ca

Once you are certain that your DNS configuration is correct, you can get started on Kerberos.

2. Start from scratch

I decided to start from scratch by removing the Kerberos-related files and de-configuring the KDC, since it wasn’t working properly for me anyways, and I seemed to be going in circles trying to fix it. Some things were working, like client logins, but other things, like iChat and AFS still required users to enter their passwords. In retrospect, the problem was likely due to my import of user accounts via LDIF files without the proper authAuthority entries for the new server’s Kerberos.

To remove the existing Kerberos configuration, I followed this guy’s advice, and used sso_util to remove my realm, and the local realm (LKDC…), which I won’t need since the server will be part of the new realm that I setup.


sso_util remove -k -a diradmin -p mypasswd -r MY.REALM
sso_util remove -k -a diradmin -p mypasswd -r LKDC:SHA1.C9DB48C6101D5CF8A3B11CE41EF999B771B490F8

Then I moved these files/directories to a backup dir (which I never used again):


mkdir ~/backup
cp -R /var/db/krb5kdc ~/backup
rm -rf /var/db/krb5kdc
mkdir -m 0700 /var/db/krb5kdc
mv /etc/krb5.keytab ~/backup
mv /Library/Preferences/edu.mit.Kerberos ~/backup
mv /Library/Preferences/DirectoryService/ ~/backup

If you get an error when you try to move /Library/Preferences/edu.mit.Kerberos, the user immutable flag is probably set. Remove it with the command:


chflags nouchg /Library/Preferences/edu.mit.Kerberos

3. Create a new edu.mit.Kerberos file

Run:

/sbin/kerberosautoconfig -f /LDAPv3/127.0.0.1 -r MYREALM.CA -v -m leopardserver.netmojo.ca -u -v 5

4. Setup the KDC

First in LDAP:

/usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p mypasswd -v 5 MYREALM.CA
...

Then on the filesystem (a “stock MIT configuration”):

kdcsetup -a diradmin -p mypasswd MYREALM.CA

You should now have a bunch of files in /var/db/krb5kdc that relate to your realm, such as “principal.MYREALM.CA”.

5. Create service principles in LDAP

Run:

slapconfig -kerberize -f diradmin MYREALM.CA

6. Kerberize all of the services

Run:

sso_util configure -r MYREALM.CA -a diradmin -p mypasswd all

This will add principals for the FQDN; if there are other names that your clients will use to access services, you can kerberize them like so:


krbservicesetup -r MYREALM.CA -a diradmin -p mypass xmpp xmpp/ichat.netmojo.ca@MYREALM.CA

I have a CNAME in DNS for ichat.netmojo.ca that points to my server. The above will add kerberos records to allow authentication to the ichat service, with that name.

Check the logs to make sure that everything is working: /var/log/system.log, /var/log/krb5kdc/kadmin.log, /var/log/krb5kdc/kdc.log. You should be able to connect seemlessly with kerberized services now. Each service may have its own little quirks though. SSHing to localhost, for example, gives me:


debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information

IMAP seems to authenticate OK at first, but then changes its mind and asks for a password. iChat authenticates smoothly, as does AFP. I haven’t done other testing, but I get the sense that everything is going smoothly, and there are some service-specific gotchas to work out.

The next article will cover connecting client machines to the server. It seems to work effortlessly with Leopard clients, but I’m having some issues with a Tiger client…

Some useful resources

Tags: , , , , , , , ,
This entry was posted on Wednesday, January 30th, 2008 at 03:33 MST and is filed under Articles, System Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Previous:
Next:

28 Responses to “Tiger to Leopard Server Migration, Part Four”

  1. Urs Says:
    February 1st, 2008 at 14:38

    The next article will cover connecting client machines to the server. It seems to work effortlessly with leopard clients, but I’m having some issues with a Tiger client…

    Which issues did you have?

  2. Brent Says:
    February 1st, 2008 at 14:52

    I will discuss it in detail in my next post, but I was unable to bind to the directory from the Tiger client. I’m not using SSL, but otherwise all of the security options for binding are enabled, and there was a log entry indicating that at least one of them isn’t supported on Tiger.

  3. Urs Says:
    February 1st, 2008 at 15:22

    I had posted my problem here:
    http://www.afp548.com/forum/viewtopic.php?showtopic=19422

  4. Brent Says:
    February 7th, 2008 at 16:26

    As it turned out, the problem was a client side issue. The Tiger client had an old /Library/Preferences/edu.mit.Kerberos file with a non-existent REALM in it. This was somehow interfering with the bind process; when I changed the REALM in that file to the correct one, it bound to the server without a problem.

    However, I now have the same issue that you mention in your AFP forum post — no Kerberos authentication for the AFP service, even though users get a kerberos ticket when they login, and network home directories work…

  5. Brent Says:
    February 7th, 2008 at 16:59

    I solved my AFP problem. Check the Kerberos principal in your AFP settings using the ‘serveradmin’ command:


    sudo serveradmin settings afp:kerberosPrincipal

    It should match the afpserver principal that is listed in your keytab file:


    klist -kt | grep afpserver

    If not, you can set it using serveradmin:


    serveradmin settings afp:kerberosPrincipal = afpserver/leopardserver.netmojo.ca@MYREALM.CA

    It should echo the value after the ‘=’ back to you. After I changed this setting, I was able to login to a Tiger client, and I was automatically granted a kerberos ticket for afpserver/leopardserver.netmojo.ca@MYREALM.CA, and I could access the network filesystems without further authentication.

  6. Benjamin Says:
    February 29th, 2008 at 07:35

    It seems that this command:


    slapconfig -kerberize -f diradmin MYREALM.CA

    Actually performs the commands in step 2, 3 and the first command in step 6. It does a lot more also, including setting authAuthority records.

    I had a similar problem, that actually revolved around my /Local/Default directory and my LDAP directory containing stale Kerberos records. The records can be removed with the dscl utility:


    cd /Local/Default
    rm Kerberos*
    cd /LDAPv3/127.0.0.1/Config
    rm Kerberos*

    After doing this the slapconfig command worked just fine. Before removing the records the kdcsetup command failed with a segmentation fault…

  7. Mano Says:
    May 22nd, 2008 at 15:55

    Brent,
    I am a power user who just switched to Leopard Server. I set it up at home and have had various issues with it. I was fairly certain I had Kerberos set up right but I couldn’t connect to AFP at all. (Though at one point it was working ?!?) Your tip made it work right for me. Thanks for taking the time to write that down.

    Mano

  8. Sean Says:
    May 30th, 2008 at 10:23

    I keep getting segmentation faults as well when running kdcsetup. Using the dscl utility I see that there are no Kerberos records to remove. Wondering if there is something else I’m missing?

  9. damien Says:
    June 3rd, 2008 at 06:18

    Hello,
    i’m sorry to disturb you again but our server as an other problem taht i don’t find docs or help on forums: cyrus seems to have a problem…all logs files in the mailing are good except the mail access that gives me :
    extrait du journal des logs mail access:
    Jun 3 13:35:03 artsway ctl_cyrusdb[3461]: DBERROR: couldn’t checkpoint: Operation not permitted
    Jun 3 13:35:03 artsway ctl_cyrusdb[3461]: DBERROR: sync /var/imap/db: cyrusdb error
    Jun 3 13:35:03 artsway ctl_cyrusdb[3461]: archiving log file: /var/imap/db/log.0000000001
    Jun 3 13:35:03 artsway ctl_cyrusdb[3461]: done checkpointing cyrus databases
    Jun 3 13:35:03 artsway master[161]: process 3461 exited, status 0
    Jun 3 14:05:03 artsway master[3524]: about to exec /usr/bin/cyrus/bin/ctl_cyrusdb
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: checkpointing cyrus databases
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: archiving database file: /var/imap/annotations.db
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: DBERROR db4: /var/imap/deliver.db: unable to flush page: 0
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: DBERROR db4: txn_checkpoint: failed to flush the buffer cache Operation not permitted
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: DBERROR: couldn’t checkpoint: Operation not permitted
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: DBERROR: sync /var/imap/db: cyrusdb error
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: archiving log file: /var/imap/db/log.0000000001
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: archiving database file: /var/imap/mailboxes.db
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: DBERROR db4: /var/imap/deliver.db: unable to flush page: 0
    Jun 3 14:05:03 artsway ctl_cyrusdb[3524]: DBERROR db4: txn_checkpoint: failed to flush the buffer cache Operation not permitted

    D’apres ce que je comprends des erreurs qui sont repertoriées, c’est un probleme au niveau de cyrusdb… mais je ne comprends pas ou se situe le probleme: ce fichier etait utilise sur l’ancien serveur et fonctionne dessus, mais ne fonctionne pas sur le nouveau… quelqu’un peut m’aider? (je debute en mac )

  10. Ryan Says:
    August 11th, 2008 at 08:37

    I’m still getting Segmentation fault when trying to run step 4 ‘/usr/sbin/kdcsetup -f /LDAPv3/127.0.0.1 -w -a diradmin -p ***** -v 5 MYREALM.CA’

    Even after removing Kerberos* like Benjamin suggested.

    Also ‘slapconfig -kerberize -f diradmin MYREALM.CA’ gives me an error:

    kdcsetup command failed with exit code 10: stdout=(null), error-message=Contacting the Directory Server

    Any advice?

  11. Ryan Says:
    August 11th, 2008 at 08:38

    Sorry, forgot to mention that the open directory master is a clean install of v10.5.4

  12. Steven Says:
    August 16th, 2008 at 05:38

    I’m having exactly the same problem as Ryan – clean install of 10.5.4 and getting Segmentation faults as well as the exit code 10.

    V, v frustrating.

  13. Steven Says:
    August 16th, 2008 at 05:39

    Sorry, any help would be appreciated. It’s the only thing on my server than needs fixing.

  14. Brent Says:
    August 16th, 2008 at 07:36

    Ryan & Steven: can you connect to your directory service using ‘ldapsearch’ or other tools? Have you tried the kerberosautoconfig command from step 3? What do you see in the logs (/var/log/system.log, /var/log/slapd.log, /var/log/krb5kdc/kdc.log) when you’re getting segfaults and exit code 10?

    Does the command:

    serveradmin fullstatus dirserv

    tell you anything useful about the state of Kerberos (kdc)?

  15. Brent Says:
    August 16th, 2008 at 07:39

    Oh, and did you do:

    chflags nouchg /Library/Preferences/edu.mit.Kerberos

    as per step 2?

  16. Toros Says:
    September 6th, 2008 at 13:44

    Brent i am having the same segmentation fault problem as the other two posters. Is there some sort of a fix.

  17. Brent Says:
    December 7th, 2008 at 19:11

    One thing to try is using Server Admin to backup your Open Directory settings in the Archive tab of the Open Directory panel. Then go to the Settings panel, and click the Change button, and change to a stand alone server. Once the transition is complete, do the reverse: change back to an Open Directory Master, then use the Restore feature in the Archive tab to re-add your users & settings.

    See the /Library/Logs/slapconfig.log file for the output of what went on beneath the GUI.

  18. Ryan Says:
    December 8th, 2008 at 06:13

    Hi Brent,

    Sounds like do or die. Better hope the open directory restore works after changing to standalone or you lose your ldap & password server configs.

  19. Josh Says:
    February 26th, 2009 at 16:49

    Hi,

    thank you for that nice howto. I have much trouble with Kerberos.
    But I have one problem at step 3:
    I get the failure message: Couldn’t find KerberosClient config record

    Hope someone has some good idea..

  20. Jim Says:
    November 3rd, 2009 at 13:28

    When I get to the command:sso_util configure -r MYREALM.CA -a diradmin -p mypasswd all

    I get this error:

    Contacting the directory server
    /Local/Default
    /BSD/local
    /LDAPv3/127.0.0.1
    Creating the service list
    Creating the service principals
    kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
    SendInteractiveCommand: failed to get pattern
    The system log shows this:

    Nov 3 14:06:22 aeaserver ReportCrash[88903]: Formulating crash report for process kdcsetup[88894]
    Nov 3 14:06:23 aeaserver ReportCrash[88903]: Saved crashreport to /Library/Logs/CrashReporter/kdcsetup_2009-11-03-140622_aeaserver.crash using uid: 0 gid: 0, euid: 0 egid: 0

    When I looked in the /var/krb5kdc directory, the principals I created are gone. What hapened?

  21. zzz Says:
    June 6th, 2010 at 16:34

    Hi all,

    I had Segmentation fault error when executing kdcsetup as well. The message was:

    UpdateAdminUser: Auth Authority attribute for diradmin
    {type = immutable, count = 2, values = (
    0 : {contents = “;ApplePasswordServer;0×00000000000000000000000000000001,1024 35 1285924081981904565465406536457148623174895562755168052654929078909867635991888710162102732386543654546544759085369610501105413750998572819544855878566438906983732876122014813597622030164149064250824299113309426842687587598873290165941 root@controller.cluster:111.111.111.111″}
    1 : {contents = “;Kerberosv5;0×00000000000000000000000000000001,1024 35 12859240819819029503367712297485960478506536457148623174895562755160987089098705957676359918887101621027323833234325712317894083715376442335521660781812831159278994759085369610501105413750998572819544855878566433432983732876122014813597622030164149064250824299113309426842687587598873290165941 root@controller.cluster:111.111.111.111″}
    )}
    Segmentation fault

    My LDAP admin user name was “diradmin”. Something was wrong with LDAP admin account. I created another user with administrative priv on LDAP. Run kdcsetup with new LDAP admin account and everything works for me.

    Hope it helps,

    cheers
    zzz

  22. rym Says:
    November 17th, 2010 at 12:50

    Hi,

    for the first couple of times, this how to didn’t worked for me. It gave me tons of problem, maybe because i wasn’t able to follow the instruction correctly. Anyway id like to share what work for me im running 10.5.7, my users use a network profile that also exports their home directories via afp. I also have exported static mounts through nfs. All these worked without kerberos, i was only running LDAP Server and Password Sever and my server was set to Directory master. But there was a need for me to run kerberos, plus i hate to see services that is not running and here comes the journey to making my kerberos run.

    all the steps here worked except that you have watched out for couple of things.

    under step 2

    mv /Library/Preferences/DirectoryService/ ~/backup
    – not necessary their might be tendency that this will screw your OD

    under step 3
    /sbin/kerberosautoconfig -f /LDAPv3/127.0.0.1 -r MYREALM.CA -v -m leopardserver.netmojo.ca -u -v 5

    – theres no need to add the extra debug option after MYREALM.CA, if the above line didn’t work then try removing the -v after MYREALM.CA

    everything else work perfectly except that in my case i encounter “krb5kdc: cannot initialize realm LKDC”

    so i followed the following from another forum:

    MY ACTUAL STEPS:

    1.) I move to OpenDirectory to stand alone mode.
    2.) Backed up all files that matched /var/db/dslocal/nodes/Default/config/Kerberos/*.plist
    3.) Deleted all of the files that matched /var/db/dslocal/nodes/Default/config/Kerberos/*.plst
    4.) Restarted the server
    5.) Promoted OD to master…

    THEN FOLLOW ALL THE STEPS IN THIS HOW EXCEPT FOR THE NOTES ABOVE AND MY KERBEROS IS NOW RUNNING PERFECTLY….

    thanks brent… you howto have helped a lot…

  23. Bum Bag Says:
    January 28th, 2011 at 04:56

    *:’ I am very thankful to this topic because it really gives great information `..

  24. Cyrille Mathieu Says:
    October 18th, 2011 at 15:46

    Just change the last step (6.) :

    sso_util configure -x -r CALIFORNIA.GYMNASE-YVERDON.VD.CH -a diradmin -p blAckbErrY -v 1 all

    The -x option is essential to avoid an error and not documented by man…

    And I don’t know if erasing the LKDC is a good idea… if you do so don’t forget to erase his references it in the /var/db/krb5kdc/kdc.conf file

    But that’s the best I have read on the Web about this topic.

    Thanks a lot.

  25. Cyrille Mathieu Says:
    October 18th, 2011 at 17:47

    Once again to that carefully and don’t forget to save your LDAP base before all.

    -x option seems dangerous !!!

    Removing LKDC is a very bad idea, because when restore your LDAP the script goes wrong if it’s not present, but well if the LKDC exists.

  26. Frank Says:
    December 2nd, 2011 at 15:27

    Hi there, could anybody tell me how to use this article with Lion Server? E.g. the kerberosautoconfig-command cannot be found under Lion and concerning slapconfig the “-kerberize” option does not work.

    Please HELP! Thanks.

  27. Brent Says:
    December 2nd, 2011 at 15:43

    Frank, check out the manual page for sso_util (by running ‘man sso_util’). It can rebuild Kerberos for you.

  28. Frank Says:
    December 3rd, 2011 at 07:23

    Brent, thanks for the hint but I am to stupid. Could you please explain me the sso_util options I have to use to rebuild kerberos? THANK YOU!

Leave a Reply

Live Comment Preview: