I thought I would post this, as we had a similar situation within our class with this issue. At times, when you try to start Kerberos in Mac OS X 10.5 Server, the domain gives you trouble. The first thing you should do is check the host name with changeip, and determine the issue with your DNS. Then, you can fix your Kerberos issues with the following steps as found here on Apple's documents page:
1. Fix Your DNS: This is necessary, otherwise steps below will not work.
2. Fix your /etc/hosts file: Best done in Terminal. Run sudo bash and authenticate to get to root, and then run vi /etc/hosts. Once in there, add your server's IP Address and fully qualified domain name, like this: 10.1.0.1 mainserver.pretendco.com
3. Set your Host Name: This can be done as root with the following command: scutil --set HostName mainserver.pretendco.com. Replace the Mainserver entry with your own domain name in this step, and all subsequent steps you see.
4. Initialize Kerberos: This requires three steps (and being logged in as root):
slapconfig -kerberize diradmin MAINSERVER.PRETENDCO.COM (diradmin would be the directory admin login name)
sso_util configure -r MAINSERVER.PRETENDCO.COM -f /LDAPv3/127.0.0.1 -a diradmin -p diradmin_password -v 1 all (replace diradmin and diradmin_password with your directory admin and password)
sso_util configure -r MAINSERVER.PRETENDCO.COM -f /LDAPv3/127.0.0.1 -a diradmin -p diradmin_password -v 1 ldap
Once you finish these steps, reboot the machine, and check your Server Admin utility. You should see that you have all your services running on your Open Directory Master.
Even with this trouble, Kerberos seems really simple to set up with a Mac server. I've never tried it on a Linux server, but from the expressions on some friend's faces when I suggest it, it doesn't seem to be very simple. I'm not sure how it's implemented in Active Directory either, though I do know it's just as frustrating when it doesn't work.
Showing posts with label Server. Show all posts
Showing posts with label Server. Show all posts
Monday, March 17, 2008
Monday, July 09, 2007
MacBook Pro with Mac OS X Server Installed: Why It's Not Supported
A while ago I had an authentication problem with Mac OS X Server 10.4.9. I set up my classroom server with a specific account (Sharon Accounte), and my students were supposed to authenticate to their server, which was connected to my server. Instead, they received an error denying access, and suggesting that the account was wrong. I checked the account on the server, authenticated locally without any trouble, so I knew it wasn't the account. I then checked the server logs, and found no errors within the Directory or Password Server logs.
I then checked with other Server Essentials instructors to see what the problem could be. Everyone suggested checking the directory entry using the command line tool dscl. This tool will let you navigate the directory entry as though it were a file system, and you can read the authentication information the server provides. While checking this, I noticed that everything was being provided, and stumped the other instructors as to what the cause could be.
Well, after running some tests after the class, I found out what the issue was. First, it's important to note that I had used a MacBook Pro as the server (our lab is mobile, and it was the most convenient way to get it done), so the problem is not typical as laptops are not a supported platform for Server. Next, I had upgraded to 10.4.9, which provided Airport support (and didn't crash the system as 10.4.8 did).
Before I had upgraded, the authentication worked just fine. After upgrading, it wouldn't authenticate, and there were no errors in the Password Server log. It seems that, at least for a laptop install, the server has trouble authenticating with later releases (I haven't tried 10.4.10 yet).
So, for anyone out there that is using a MacBook or MacBook Pro as their mobile lab server, this may be of some use. I'll test it with 10.4.10 next week during the Server class Challenge. For now, the base install of 10.4.7 on a MacBook Pro will work, sans the Airport. But, as the server should be connected through Ethernet anyway, it shouldn't be that much of a problem.
But the question still remains: What is significantly different from the Mac Pro to the MacBook Pro that would cause the server to fail in authenticating without providing error log entries? I'm not sure I will ever find out, but at least I now know that the classroom server will work just fine, and I don't have to lug around a Mac Pro just to teach a class.
I then checked with other Server Essentials instructors to see what the problem could be. Everyone suggested checking the directory entry using the command line tool dscl. This tool will let you navigate the directory entry as though it were a file system, and you can read the authentication information the server provides. While checking this, I noticed that everything was being provided, and stumped the other instructors as to what the cause could be.
Well, after running some tests after the class, I found out what the issue was. First, it's important to note that I had used a MacBook Pro as the server (our lab is mobile, and it was the most convenient way to get it done), so the problem is not typical as laptops are not a supported platform for Server. Next, I had upgraded to 10.4.9, which provided Airport support (and didn't crash the system as 10.4.8 did).
Before I had upgraded, the authentication worked just fine. After upgrading, it wouldn't authenticate, and there were no errors in the Password Server log. It seems that, at least for a laptop install, the server has trouble authenticating with later releases (I haven't tried 10.4.10 yet).
So, for anyone out there that is using a MacBook or MacBook Pro as their mobile lab server, this may be of some use. I'll test it with 10.4.10 next week during the Server class Challenge. For now, the base install of 10.4.7 on a MacBook Pro will work, sans the Airport. But, as the server should be connected through Ethernet anyway, it shouldn't be that much of a problem.
But the question still remains: What is significantly different from the Mac Pro to the MacBook Pro that would cause the server to fail in authenticating without providing error log entries? I'm not sure I will ever find out, but at least I now know that the classroom server will work just fine, and I don't have to lug around a Mac Pro just to teach a class.
Friday, April 06, 2007
Friday Round Up: Kerberos, Hydroponics
Because I haven't posted much of anything this week, I thought I would take today to round up all the topics I would have covered, had I posted them. ^_^ There has been a lot going on this week that I wanted to share, and so little time to post it.
Kerberos
I have to admit, I had never before really got Kerberos. I understand why someone would want a single sign on solution, and why it's necessary to have an authentication system that doesn't pass your password. But it never really made a lot of sense to me until I started working with the Mac OS X Server platform. Why then? Because OS X Server makes initializing Kerberos so relatively easy (more on that later) that utilizing it makes sense.
For those that are not familiar with Kerberos, it's an authentication method that allows for authentication through tickets, instead of username-password authentication packets. The tickets are encrypted, and are time-stamped to keep the integrity of the system.
Apparently, based on the entries I have seen in various forums, it's a beast to get running properly in any platform. But Mac OS X Server integrates it with the Open Directory Master, so as long as your DNS is working properly (and you have your server's DNS entry in your /etc/hosts file), you can have a relatively consistent Kerberos experience right out of the box. This is great for any small to medium-sized business that is looking for a single sign on solution for their server environment.
So, Kerberos is working.. Now what? What can you use it for? Well, Mac OS X Server has the following services that are kerberized (compatible with Kerberos):
Directory Services
Apple File Protocol (AFP)
Windows Services (SMB)
Virtual Private Networking (VPN)
Mail
File Transfer Protocol (FTP)
Xgrid
So, you can Kerberize your access to these features. Granted, not everyone in a mixed platform environment can utilize AFP, but most everyone can utilize Samba in one form or another, so you have your single sign on file server.
Then, you can utilize single sign on for Directory login, or network access. Because Apple's Open Directory is just LDAPv3 (OpenLDAP), directory services can be integrated into any platform. That means you can even integrate your Windows system into Open Directory for a Kerberized login.
VPN is defaulted to Layer 2 Transfer Protocol (L2TP), but if you need to, you can set it up for Point to Point Transfer Protocol (PPTP). As you can set up a Kerberized access for it anyway, both solutions can be very convenient.
Mail is the example used in the Server Essentials Kerberos video. It's easy to see why you would want a kerberized mail system set up for business email, and Mail is all set for Kerberos.
FTP didn't make that much sense to me, except for the simple text user ID and password that is used to transfer the files. As it uses your Directory account to control FTP access, it becomes your weakest link. That alone is the best reason to kerberize the service.
I don't have a lot to say about Xgrid, because I haven't ever used it and I don't have an environment that requires it. Needless to say, it looks cool, and anything that is kerberized can't be all bad. ^_^
There is a rumor that the Team server in OS X 10.5 will be kerberized, along with iChat server. If that's that case it will eliminate most of the weakest links in the services that are used within a business, making the solution that much more attractive to larger businesses.
I'm going to be playing with Kerberos and kerberized services within the next few weeks as I prepare for the Apple Certified Systems Administrator certification, so hopefully I will be able to shed more light on the service.
Hydroponics Update
I just wanted to post that my first experiment with hydroponics and starter plants seems to be working! My cucumbers just started to sprout, and I'm really excited! I figure that the pumpkins will be next, followed by the artichokes and perhaps the pansies. As soon as I get some greenery, I'll post a picture. ^_^
So, that has been my week so far. I'm working on a new server deployment for the classroom, and starting this next week I will be preparing myself for the Office 2007 offerings that we are starting this Summer. For those looking for Office 2007 training (and you will probably need it, as it's so different from previous versions), feel free to check out our offerings at http://continue.utah.edu/edtech!
Kerberos
I have to admit, I had never before really got Kerberos. I understand why someone would want a single sign on solution, and why it's necessary to have an authentication system that doesn't pass your password. But it never really made a lot of sense to me until I started working with the Mac OS X Server platform. Why then? Because OS X Server makes initializing Kerberos so relatively easy (more on that later) that utilizing it makes sense.
For those that are not familiar with Kerberos, it's an authentication method that allows for authentication through tickets, instead of username-password authentication packets. The tickets are encrypted, and are time-stamped to keep the integrity of the system.
Apparently, based on the entries I have seen in various forums, it's a beast to get running properly in any platform. But Mac OS X Server integrates it with the Open Directory Master, so as long as your DNS is working properly (and you have your server's DNS entry in your /etc/hosts file), you can have a relatively consistent Kerberos experience right out of the box. This is great for any small to medium-sized business that is looking for a single sign on solution for their server environment.
So, Kerberos is working.. Now what? What can you use it for? Well, Mac OS X Server has the following services that are kerberized (compatible with Kerberos):
Directory Services
Apple File Protocol (AFP)
Windows Services (SMB)
Virtual Private Networking (VPN)
File Transfer Protocol (FTP)
Xgrid
So, you can Kerberize your access to these features. Granted, not everyone in a mixed platform environment can utilize AFP, but most everyone can utilize Samba in one form or another, so you have your single sign on file server.
Then, you can utilize single sign on for Directory login, or network access. Because Apple's Open Directory is just LDAPv3 (OpenLDAP), directory services can be integrated into any platform. That means you can even integrate your Windows system into Open Directory for a Kerberized login.
VPN is defaulted to Layer 2 Transfer Protocol (L2TP), but if you need to, you can set it up for Point to Point Transfer Protocol (PPTP). As you can set up a Kerberized access for it anyway, both solutions can be very convenient.
Mail is the example used in the Server Essentials Kerberos video. It's easy to see why you would want a kerberized mail system set up for business email, and Mail is all set for Kerberos.
FTP didn't make that much sense to me, except for the simple text user ID and password that is used to transfer the files. As it uses your Directory account to control FTP access, it becomes your weakest link. That alone is the best reason to kerberize the service.
I don't have a lot to say about Xgrid, because I haven't ever used it and I don't have an environment that requires it. Needless to say, it looks cool, and anything that is kerberized can't be all bad. ^_^
There is a rumor that the Team server in OS X 10.5 will be kerberized, along with iChat server. If that's that case it will eliminate most of the weakest links in the services that are used within a business, making the solution that much more attractive to larger businesses.
I'm going to be playing with Kerberos and kerberized services within the next few weeks as I prepare for the Apple Certified Systems Administrator certification, so hopefully I will be able to shed more light on the service.
Hydroponics Update
I just wanted to post that my first experiment with hydroponics and starter plants seems to be working! My cucumbers just started to sprout, and I'm really excited! I figure that the pumpkins will be next, followed by the artichokes and perhaps the pansies. As soon as I get some greenery, I'll post a picture. ^_^
So, that has been my week so far. I'm working on a new server deployment for the classroom, and starting this next week I will be preparing myself for the Office 2007 offerings that we are starting this Summer. For those looking for Office 2007 training (and you will probably need it, as it's so different from previous versions), feel free to check out our offerings at http://continue.utah.edu/edtech!
Subscribe to:
Posts (Atom)