View Full Version : KDC stopped
11-17-2004, 10:59 AM
having just got KDC working (mac os x server 10.3.6) I thought I'd share what little advice I could.
According to the small office setup example in the getting started manual you should have two network cards. the external one to your router and the internal one to your network. Reading threads here and elsewhere it seems that you need a fully working DNS in order for KDC to start up and if you promote your server to be an open directory master before DNS is working correctly then KDC will not work and the only way to remedy the situation is to reinstall the server software. Having reinstalled the sever software several times my hopefully helpful advice is to disable your external network card at the install stage and make your server's open directory setup to be "stand alone". Then set up your internal DNS and promote your open directory to be an open directory master and then re-enable your external network card.
Hope it helps someone
11-20-2004, 03:07 AM
Hi your advice makes perfect sense, Before i do that i wondered if you had any advice on this issue:
I work at a high school and backed up our server by imaging it from an external hard drive that had a standard OS X version on it. This seemed to work well, but when i rebooted the server KDC did not restart. This server has the network home directories on it for 700+ kids and now I am stuck with login issues all over the school. Is their any way to start KDC without staring from scratch???
11-21-2004, 12:14 PM
I can't profess to be a mac os x server expert but, maybe a fiddle with both your network card setting and your DNS settings might help. Also sometimes it takes a while for KDC to startup. Apparently demoting your open directory settings to be a standalone server is a no no as this will really mess your users up, (although I can swear to that).
11-22-2004, 05:26 AM
I am tring to figure out how on earth im going to get it started and the few ideas i have had so far have been useless:
I have however found a workaround. In Directory Access I selected an Open Directory server for ldap, and typed in the 'dc=,dc=,dc=', settings. I then Authenticated with a 'custom path' pointing to the 'Ldap server' I added this. Logins are 100% successful but i know its not the right way and the computers seem a little slower than usual.
11-23-2004, 07:22 AM
if you are using 2 network interfaces and you disable the external one to set up your internal DNS, KDC etc, the interfaces information section of your server admin application will show the DNS name on your internal interface when your set up is complete and DNS is running smoothly.
name family IP address DNS name
en0 IPv4 192.168.0.1 server.company.private
however when you re-enable your external interface the DNS information will disappear
name family IP address DNS name
en0 IPv4 192.168.0.1
en1 IPv4 192.168.1.20
I don't know what this means but everything seems to be working so it's probably not a cause for concern.
again I hope this helps someone
11-25-2004, 04:01 AM
I got it working!! Turns out it was the hostname of the computer. It was called xserve and although i added it as another DNS record, the IP address went to what we names the server. When KDC authenticated all it saw was xserve and no ip address and baulked.
I owe it all to that 4 Pages of info that went between xdavid and Dr.Chris Jones. Learnt more in that thread than i did at the Apple Xserve course :D :D
11-25-2004, 08:59 AM
Nice to know our thread has been of help to others, Scottsri. :cool:
Just to expand for anybody else finding this particular thread...
As a security mechanism for authentication, the KDC is properly pretty paranoid about it's environment. I am not sure about it's exact startup mechanism (if anybody else does, please feel free to post) but my best guess is that it seems to check what the hostname of it's host is, lookup this in it's DNS and compare the IP received with it's own. It also probably does a double check by taking it's own IP, doing a reverse lookup on this and comparing the result with it's hostname. If something doesn't check out, it presumes that there's something fishy going on and exits.
As you have noticed however, once it does start, and sets up all the configuration files, it seems to be capable of running for a while without some of that original info - until one day... decides that enough is enough...
I actually spend a good amount of my 'playtime' trying to intentionally break the KDC so I can try and figure out how to manually fix it (without doing the Standalone trick) and it is sometimes annoyingly stubborn about continuing to work when the rest of the system around it is falling apart.
And in case anyone is wondering... no, I have not yet figured out all the steps to rebuild it manually... almost but not quite...
11-25-2004, 03:57 PM
I too have tried to manually start it and it wasnt pretty. I am sure you have read this two part series:
It shows how to start it by hand and would work well with the 'changeip' command. If you have read this article is there more parts in the series casue i could not find them, otherwise have a read its very informative.
Sorry about this messy links.
11-25-2004, 07:39 PM
Oh, yes... been through those - don't seem to work :(
The basic config files etc are created... but the final key eludes me.
There does not seem to be the follow up article referred to.
Currently I'm doing it the difficult way, by working my way through the manual pages for the various kerberos commands etc and trying things out. Maybe I should just buy a book but at the moment it is more of a puzzle to 'pass the time' :eek: rather than a critical item on my todo list!
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.