I recently set up a Mac OS X 10.6 Server, and to my surprise, out of the blue, encountered my old friend the Workgroup Manager lockout problem. Only, it wasn’t the same problem. The notable error message was in /var/log/slapd.log:


Aug 28 17:10:01 newserver slapd[54]: SASL [conn=177] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request (found ldap/oldserver.netmojo.ca@NEWSERVER.NETMOJO.CA, wanted ldap/newserver.netmojo.ca@NEWSERVER.NETMOJO.CA))


The problem stemmed from an earlier (misguided) attempt to set up this new 10.6 Server (“newserver”), as an OD replica of a 10.5 Server (“oldserver”). It turns out that when you select “Setup an open directory replica” in Server Admin, it alters this file:

/etc/openldap/rootDSE.ldif:

dn:
dnsHostName: oldserver.netmojo.ca
krbName: ldap/oldserver.netmojo.ca@OLDSERVER.NETMOJO.CA


This file is used by OpenLDAP to determine which server the current server is a replica of. When I changed the OpenDirectory role back to Master, Server Admin failed to update the rootDSE file to reflect the fact that it is no longer a replica (actually, it never quite was). Replacing “oldserver” with “newserver” — adding the proper local server name and kerberos realm to this file — and then rebooting the server, fixed the problem.

I ran into several difficulties setting up Podcast Producer in Leopard server. I followed the setup instructions in the manual, but when it came to getting Xgrid up and running, I hit a wall.

Here are the problems that I encountered:

“agent could not determine the expected controller service principal”

The Podcast Producer manual says that Kerberos authentication in Xgrid is necessary (page 26)…
(more…)

Kerberos and Single Sign-on in Leopard Server

It has been awhile since my last post of this series — sorry to keep you waiting. Kerberos on Mac OS X Server is a finicky thing, and it took me this long to get it working! Well, I did take a 3 week vacation, and was busy with other projects for at least 2 weeks … but it was a major pain in the ass to set up, and I’m not yet entirely satisfied.

To get straight to the point, the following procedure got kerberos with single sign-on up and running for me. Hopefully it will work for you too.

(more…)

I booted up my Leopard server yesterday to discover that my directory administrator account — that’s the one used to authenticate to /LDAP/127.0.0.1 in Workgroup Manager — appeared to be broken. It looked as if I was locked out, as if I had forgotten my password. I knew that I hadn’t forgotten my password, and I verified that by logging into the directory using ldapsearch. However, Workgroup Manager insisted, “login information not valid for this server”.

I worked on it for awhile, sifting through log files and Googling for answers, but ran out of time for the evening: I was almost late for American Gangster. To my surprise, when I booted up Leopard server today, it worked. To confirm my sanity, I rebooted again: this time, no dice. So there was some kind of random failure happening. After some hunting around, I noticed a single entry in slapd.log:


slapd[40]: SASL [conn=9] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)


(more…)