Kerb-what?
May 13, 2009 9:14 PM Subscribe
Please hope an OS X/Open Directory/Kerberos n00b -- I can't reset the directory administrator's password in OS X Server 10.4.
I'm helping a local school with some connectivity issues between their 10.4.11 server, and their swanky new 24" iMacs with 10.5.6; all kinds of permissions issues that are, according to Apple, related to an unconfigured DNS/Open Directory situation.
I know basic OSX Server configuration, but I am very unfamiliar with OD. I'm following these instructions from Apple successfully so far, but I'm hitting a brick wall were either:
a) someone has set the username/password for the diradmin user prior to my attempt to do so, or
b) the password has never been set, but the server is not allowing me to set said password.
Assuming the former, I found these instructions on resetting the diradmin password, but...I'm stuck at, "Open Workgroup Manager using your administrator username and password and navigate to the Open Directory Master node." I see no node. There's no node, dammit!
If it's the latter, any ideas why it will not allow me to set the password from the server admin OD panel? It asks for it to be set up each time, but doesn't appear to set it.
Any advice SUPERLY appreciated.
I'm helping a local school with some connectivity issues between their 10.4.11 server, and their swanky new 24" iMacs with 10.5.6; all kinds of permissions issues that are, according to Apple, related to an unconfigured DNS/Open Directory situation.
I know basic OSX Server configuration, but I am very unfamiliar with OD. I'm following these instructions from Apple successfully so far, but I'm hitting a brick wall were either:
a) someone has set the username/password for the diradmin user prior to my attempt to do so, or
b) the password has never been set, but the server is not allowing me to set said password.
Assuming the former, I found these instructions on resetting the diradmin password, but...I'm stuck at, "Open Workgroup Manager using your administrator username and password and navigate to the Open Directory Master node." I see no node. There's no node, dammit!
If it's the latter, any ideas why it will not allow me to set the password from the server admin OD panel? It asks for it to be set up each time, but doesn't appear to set it.
Any advice SUPERLY appreciated.
I'm slightly confused. When dealing with Kerberos, are you also using Active Directory, or is all authentication going through OD?
sbutler: I don't think you're necessarily wrong, but if I read the OP correctly, the issue is he doesn't know the diradmin password, which is needed to authenticate into the ldapv3 node in the first place.
Also make sure your DNS are exactly correct regarding your mac server A records. I've found macs get very unhappy very quickly with improper pointers- much moreso than windows servers. Improper DNS records can throw off things you'd think it has no business messing up on the mac server.
posted by jmd82 at 7:37 AM on May 14, 2009
sbutler: I don't think you're necessarily wrong, but if I read the OP correctly, the issue is he doesn't know the diradmin password, which is needed to authenticate into the ldapv3 node in the first place.
Also make sure your DNS are exactly correct regarding your mac server A records. I've found macs get very unhappy very quickly with improper pointers- much moreso than windows servers. Improper DNS records can throw off things you'd think it has no business messing up on the mac server.
posted by jmd82 at 7:37 AM on May 14, 2009
Response by poster: sbutler: thanks for the advice. You got me in the right ballpark, but I still can't authenticate to it, because I don't know the diradmin password. jmd82 is closer at this point, but the diradmin account does not come up in the list on the LH side of WG Manager, so I can't continue the directions from Apple on copying the slot ID. Argh. Of not, it doesn't list any of the other non-human users (clamav, daemon, etc) other than the admin accounts.
And, yes they should go to 10.5 server. I'm going to advocate for that if I can't resolve this, as it would be dumb to reinstall 10.4 again, when most of the clients are now running 10.5.
Thanks for any additional ideas.
posted by liquado at 5:46 AM on May 15, 2009
And, yes they should go to 10.5 server. I'm going to advocate for that if I can't resolve this, as it would be dumb to reinstall 10.4 again, when most of the clients are now running 10.5.
Thanks for any additional ideas.
posted by liquado at 5:46 AM on May 15, 2009
It sounds like you need to reset the diradmin password. Remember that the diradmin is really just the priveleged user that's allowed to modify the LDAP directory structure. It is *not* considered a local user. The idea is that you authenticate the Server Tools (Server Admin, Workgroup Manager) with your local admin user, and then you authenticate to the LDAP directory with the diradmin user. The diradmin user will not show up in the User list in WGM since you're probably probably browsing a list of the "local" users on the box.
So it sounds like you're just not selecting the LDAP directory structure and instead are browsing the local (NetInfo) structure. Look again at the image that sbutler linked to. Click on that little globe icon to switch between directory structures.
Once you can browse the LDAP structure you should be able to navigate to the diradmin user and follow the instructions in the Apple Support document to use mkpassdb command to change the password for the diradmin user.
Note that the linked instructions also tell you how to use Terminal to do both tasks (copying the SlotID and using mkpassdb). If WGM is really bhorked you might have to go down this route. Feel free to IM me (AIM: damienbarrett) and I can help walk you through this process if you want. I've done it dozens of times. In fact, it's a good idea, once you have your ODM back to normal, that you archive it for future problems. If you get locked out of your diradmin account again, you can simply use the Restore option in OD to restore a functional OD environment. It's an easier an faster process, but requires that you have regular archiving of your OD.
posted by mrbarrett.com at 7:36 AM on May 15, 2009
So it sounds like you're just not selecting the LDAP directory structure and instead are browsing the local (NetInfo) structure. Look again at the image that sbutler linked to. Click on that little globe icon to switch between directory structures.
Once you can browse the LDAP structure you should be able to navigate to the diradmin user and follow the instructions in the Apple Support document to use mkpassdb command to change the password for the diradmin user.
Note that the linked instructions also tell you how to use Terminal to do both tasks (copying the SlotID and using mkpassdb). If WGM is really bhorked you might have to go down this route. Feel free to IM me (AIM: damienbarrett) and I can help walk you through this process if you want. I've done it dozens of times. In fact, it's a good idea, once you have your ODM back to normal, that you archive it for future problems. If you get locked out of your diradmin account again, you can simply use the Restore option in OD to restore a functional OD environment. It's an easier an faster process, but requires that you have regular archiving of your OD.
posted by mrbarrett.com at 7:36 AM on May 15, 2009
Response by poster: A quick followup to finish out the thread; I spent a bunch of time trying out the suggestions above, which would have worked great -- except that, as it turns out, the Kerberos install was b0rked, somehow. I finally gave up, backed everything up, and did a fresh install of Server 10.5. It's humming along nicely. :-)
Thanks for the help, meFites -- awesome, as usual.
posted by liquado at 8:56 PM on June 13, 2009
Thanks for the help, meFites -- awesome, as usual.
posted by liquado at 8:56 PM on June 13, 2009
This thread is closed to new comments.
Your OD node will be something like /LDAPv3/[ip|host]. In the picture, the user is authenticated to the OD.
Not sure what your password problems are. Just note, however, that the OD accounts are layered over the local server accounts. That is, an account can exist only in the OD but not on the local server, or vice versa. Where I work, every server has an "admin" account that is local, and then each administrator has a directory admin account that is in OD. Plus there's diradmin, which is the master directory admin account.
Finally, you have a very poor situation with 10.5 clients and 10.4 server. Do not use 10.5 Server/Workgroup Admin on a 10.4 server! You'll have to use 10.4 Server/Workgroup Admin from the 10.4 itself.
posted by sbutler at 9:29 PM on May 13, 2009