I recently set up a Mac OS X 10.6 Server, and to my surprise, out of the blue, encountered my old friend the Workgroup Manager lockout problem. Only, it wasn’t the same problem. The notable error message was in /var/log/slapd.log:


Aug 28 17:10:01 newserver slapd[54]: SASL [conn=177] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Wrong principal in request (found ldap/oldserver.netmojo.ca@NEWSERVER.NETMOJO.CA, wanted ldap/newserver.netmojo.ca@NEWSERVER.NETMOJO.CA))


The problem stemmed from an earlier (misguided) attempt to set up this new 10.6 Server (“newserver”), as an OD replica of a 10.5 Server (“oldserver”). It turns out that when you select “Setup an open directory replica” in Server Admin, it alters this file:

/etc/openldap/rootDSE.ldif:

dn:
dnsHostName: oldserver.netmojo.ca
krbName: ldap/oldserver.netmojo.ca@OLDSERVER.NETMOJO.CA


This file is used by OpenLDAP to determine which server the current server is a replica of. When I changed the OpenDirectory role back to Master, Server Admin failed to update the rootDSE file to reflect the fact that it is no longer a replica (actually, it never quite was). Replacing “oldserver” with “newserver” — adding the proper local server name and kerberos realm to this file — and then rebooting the server, fixed the problem.

Kerberos and Single Sign-on in Leopard Server

It has been awhile since my last post of this series — sorry to keep you waiting. Kerberos on Mac OS X Server is a finicky thing, and it took me this long to get it working! Well, I did take a 3 week vacation, and was busy with other projects for at least 2 weeks … but it was a major pain in the ass to set up, and I’m not yet entirely satisfied.

To get straight to the point, the following procedure got kerberos with single sign-on up and running for me. Hopefully it will work for you too.

(more…)

Picking up where the last article left off, this article looks at setting up the mail service in Leopard, including migrating mail data from Tiger.

Configuring the Mail Service

In the Server Admin application, I jumped right to the Settings part of the Mail section and filled out things appropriately. In the “Domain name” field I entered the fully qualified domain name of the server in its role as a mail server; this is the same address that is in the MX records in DNS. For example, “mail.netmojo.ca”.

The “Host name” field contains the fully qualified domain name of the server itself. “leopardserver.netmojo.ca”, for example.

(more…)

In Part One, I described the installation of Mac OS X Server 10.5, and the migration of settings from my old 10.4 Server to the new one, for a couple of services. In this article, I’ll go through the importing of user accounts and data from 10.4 (Tiger) to 10.5 (Leopard).

Migrating User Accounts From LDAP

The method that Apple recommends in their Upgrading and Migrating manual is to select user accounts in Workgroup Manager (WGM), and choose Export from Server menu. This creates a comma-delimited text file of your user account data which can be imported with WGM in Leopard. However, the passwords are left out of the export.

Note: The method I describe below is the hard way. Please see the comments after the article for a discussion on the easy way: use OD’s backup & restore capability. If the new server has different DNS and IP address settings, there are special steps, as discussed in the comments.

(more…)