Please HELP! Thanks.

-x option seems dangerous !!!

Removing LKDC is a very bad idea, because when restore your LDAP the script goes wrong if it’s not present, but well if the LKDC exists.

sso_util configure -x -r CALIFORNIA.GYMNASE-YVERDON.VD.CH -a diradmin -p blAckbErrY -v 1 all

The -x option is essential to avoid an error and not documented by man…

And I don’t know if erasing the LKDC is a good idea… if you do so don’t forget to erase his references it in the /var/db/krb5kdc/kdc.conf file

But that’s the best I have read on the Web about this topic.

Thanks a lot.

for the first couple of times, this how to didn’t worked for me. It gave me tons of problem, maybe because i wasn’t able to follow the instruction correctly. Anyway id like to share what work for me im running 10.5.7, my users use a network profile that also exports their home directories via afp. I also have exported static mounts through nfs. All these worked without kerberos, i was only running LDAP Server and Password Sever and my server was set to Directory master. But there was a need for me to run kerberos, plus i hate to see services that is not running and here comes the journey to making my kerberos run.

all the steps here worked except that you have watched out for couple of things.

under step 2

mv /Library/Preferences/DirectoryService/ ~/backup
– not necessary their might be tendency that this will screw your OD

under step 3
/sbin/kerberosautoconfig -f /LDAPv3/127.0.0.1 -r MYREALM.CA -v -m leopardserver.netmojo.ca -u -v 5

– theres no need to add the extra debug option after MYREALM.CA, if the above line didn’t work then try removing the -v after MYREALM.CA

everything else work perfectly except that in my case i encounter “krb5kdc: cannot initialize realm LKDC”

so i followed the following from another forum:

MY ACTUAL STEPS:

1.) I move to OpenDirectory to stand alone mode.
2.) Backed up all files that matched /var/db/dslocal/nodes/Default/config/Kerberos/*.plist
3.) Deleted all of the files that matched /var/db/dslocal/nodes/Default/config/Kerberos/*.plst
4.) Restarted the server
5.) Promoted OD to master…

THEN FOLLOW ALL THE STEPS IN THIS HOW EXCEPT FOR THE NOTES ABOVE AND MY KERBEROS IS NOW RUNNING PERFECTLY….

thanks brent… you howto have helped a lot…

I had Segmentation fault error when executing kdcsetup as well. The message was:

UpdateAdminUser: Auth Authority attribute for diradmin
{type = immutable, count = 2, values = (
0 : {contents = “;ApplePasswordServer;0×00000000000000000000000000000001,1024 35 1285924081981904565465406536457148623174895562755168052654929078909867635991888710162102732386543654546544759085369610501105413750998572819544855878566438906983732876122014813597622030164149064250824299113309426842687587598873290165941 root@controller.cluster:111.111.111.111″}
1 : {contents = “;Kerberosv5;0×00000000000000000000000000000001,1024 35 12859240819819029503367712297485960478506536457148623174895562755160987089098705957676359918887101621027323833234325712317894083715376442335521660781812831159278994759085369610501105413750998572819544855878566433432983732876122014813597622030164149064250824299113309426842687587598873290165941 root@controller.cluster:111.111.111.111″}
)}
Segmentation fault

My LDAP admin user name was “diradmin”. Something was wrong with LDAP admin account. I created another user with administrative priv on LDAP. Run kdcsetup with new LDAP admin account and everything works for me.

Hope it helps,

cheers
zzz

I get this error:

Contacting the directory server
/Local/Default
/BSD/local
/LDAPv3/127.0.0.1
Creating the service list
Creating the service principals
kadmin: Cannot contact any KDC for requested realm while initializing kadmin interface
SendInteractiveCommand: failed to get pattern
The system log shows this:

Nov 3 14:06:22 aeaserver ReportCrash[88903]: Formulating crash report for process kdcsetup[88894]
Nov 3 14:06:23 aeaserver ReportCrash[88903]: Saved crashreport to /Library/Logs/CrashReporter/kdcsetup_2009-11-03-140622_aeaserver.crash using uid: 0 gid: 0, euid: 0 egid: 0

When I looked in the /var/krb5kdc directory, the principals I created are gone. What hapened?

thank you for that nice howto. I have much trouble with Kerberos.
But I have one problem at step 3:
I get the failure message: Couldn’t find KerberosClient config record

Hope someone has some good idea..