on setting up an OD master to accept kerberos from a AD domain and I can't get AFP to work.
What I've done:
1. Bind OD Master to AD
2. Destroyed the OD Kerberos realm
3. Ran sudo dsconfigad -enableSSO
When I log into a client that is bond to both AD and OD and try to access a SMB share on the AD side it works. When I try to access a SMB share on the OD master it work. When I try to access a AFP share on the OD Master it fails with the error " The user Authentication Method required by this server can't be found". Now I think this error is because I'm forcing Kerberos authentication, if I change AFP setting to any method authentication I get promoted with the AFP login window, I enter my AD account information and I'm able to mount the share.
I'm trying to get my leopard client to access sharepoints on my leopard server using kerberos authentication established at login. I'll list what I have done already bellow: - OD set up with a username (short and long) and password that is the same as that being used on the client laptop. - Client laptop is bound to the OD - modified /etc/authorization: <string>builtin:authenticate,privileged</string> to <string>builtin:krb5authnoverify,privileged</string>
When I log in it accepts my password and allows me into the laptop. The OD logs show that authentication to the server took place (I believe) (username and domain intentionally masked): Code: Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) NEEDED_PREAUTH: user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV, Additional pre-authentication required Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) NEEDED_PREAUTH: user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV, Additional pre-authentication required Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): handling authdata Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): handling authdata Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): .. .. ok Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](debug): .. .. ok Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) ISSUE: authtime 1202564345, etypes {rep=16 tkt=16 ses=16}, user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV Feb 09 13:39:05 server.xxxx.priv krb5kdc[512](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) ISSUE: authtime 1202564345, etypes {rep=16 tkt=16 ses=16}, user@SERVER.xxxx.PRIV for krbtgt/SERVER.xxxx.PRIV@SERVER.xxxx.PRIV When I try to connect to an AFP sharepoint it again asks my to authenticate. If I authenticate once then I can access any other sharepoints with no problems, however, I'd like to be able to use the kerberos ticket I believe I have from the system login to do this AFP authentication.
I am having difficulty troubleshooting this error. I have attached a section of the /var/log/opendirectoryd.log file while in debug mode. This is a 10.7.3 Open Directory master with no replicas. I put logging into debug mode to try to get to the root of this problem but I am not finding an answer to this issue. I am getting this same error message with multiple users, but they can all log in and function just fine. We are doing Radius auth to OD from our Cisco ASA for VPN connectivity and that works fine as well.Â
2012-03-12 11:30:09.119 PDT - Multiple names for non-user record 'wleler' - will be cache miss for others 2012-03-12 11:30:09.119 PDT - Module: SystemCache - Attaching Kerberos id 'wleler@OSXSERVER01.UTIL.PDX.OFFICE' to record 'wleler' 2012-03-12 11:30:09.119 PDT - Setting item 'wleler' with expiration 4061372012-03-12 11:30:09.119 PDT - Adding item 'wleler' with expiration 4061372012-03-12 11:30:09.119 PDT - Module: SystemCache - RBtree add - GlobalGUID - adding entry wleler (0x43E09310) -
Im having all kinds of 'not found' issues with lion server but i think alot of them may stem from not being able to stop kerberos from running on Open Directory.Therefore currently im running two Kerberos realms OD and Active directory.. When I try and stop it in terminal it errors see below...Â
shutting down kadmind kadmind shut down shutting down kdc
then on server admin it shows kereberos for OD as "running".. still so i know it hasn't worked?
I'm running server 10.4.8, how do I authenticate NT domain users on this? I tried to set the server to be a Backup Domain Controller, but then it wants Open Directory to be in replica mode. The problem there is that it needs an Open Directory server to replicate.
I've just set up DNS on Lion Server and whereas previously I could connect to a system on my network by the hostname (e.g. via ssh), using the Lion Server DNS requires the fully-qualified name. Is this by design? I've checked all my settings and it all seems to be correct. Â
I have just done a little design on iweb 09 on my new imac 27" and have uploaded it to my hosting. Its succesfully uploaded but the problem is thisIf my web address was say www.macs4u.co.uk the website. When i type that in now it goes to www.macs4u.co.uk/www.macs4u.co.uk/welcome.html and shows that site i just uploadedWhy cant i just have it uploaded to my server so when i type in www.macs4u.co.uk it stays as that and show the website??
I have not set up ssl before so i have a very basic question. I would like to support my Mac Lion server based email with a basic SSL cert that was provided with my domain name.Â
When setting up the certificate would i set the dNSName to  domainname.com or to server.domainname.comÂ
My mail server host name is set to server.domainname.com so i would assume this is the correct one, but emails are addressed to name@domainname.com so
I want to be sure i am setting this correctly before i generate the csr
I've registered a domain and it works wine when anyone enters www.mydomain.com. However when I type the domain name without 'www', I get the following:Network Error (tcp_error) A communication error occurred: "Operation timed out" The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time. For assistance, contact the IS Support Center. Â
Info:  iMac G5 PPC,  Mini Server,  MBP  TV, Mac OS X (10.6.4), iPad2, iPhone, AppleTV
Here again dealing with how OS X deals with .local domains I think.Was previously bound and all was working fine. Have just updated to 10.7.4 When trying to login using the "Other User" the button stays red and says Network accounts unavailable. I can ping domain server by name and IP.Permissions have been rebuilt.
Have rebound. Had a problem at first unbinding inside the Open Directory Utility as it said it could not connect with the domain and an unused account would be left if a forced unbind was done. Tried again by using the minus button instead of the Unbind button and it worked without any message.
So then binded to the domain and all looked good. Green button next to Network Account Server in the Users and Groups.
Info:iMac (27-inch Mid 2011), Mac OS X (10.7.3), VM Ware with XP Pro
Normally, you can create a DNS record that points to the zone itself, e.g.:Â
@Â Â 10800 IN AÂ Â ÂÂ
How do you accomplish that on a Mac OSX Lion Server? The DNS requires you to enter a hostname and it does not accept "@" as the hostname as it normally appears in the zone file. (manually modifying the host file does not work - I tried that ;-) )Â
I recently purchased a new MacBook pro with Mac OS X, I updated the OS to the latest release which is 10.7.3. I need to join (bind) a MS Windows server 2008 Domain, but when I try to bind I get below error:
Unable to add server.
The daemon encountered an error processing request (10002)
I searched the internet for a solution; most suggestions refer to sync the clock with the domain clock as Kerberos protocol is unable to authenticate. I cannot find a option to sync the clock with the domain clock, how I do that?
I looked for a introduction forum but couldn't see one so hello guys and gals. Great forum you've got here..Right my issue is as follows.I have a new iMac Pro on snow leopard 10.6.4 and it is linked to a Windows SBS server 2007 but i don't think i've done it properly.When i switch the machine on all i get on boot up is 1 local user Sometimes i can leave it and it will offer me the 'Other' option which i can then login to the server But most times it doesn't to that... I have to logon as that local user and then unbind the windows domain and rebind it then when i logoff it shows me the 'Other' user Also another thing thats annoying is it doesn't map anything automatically i have had to create a alias icon on my desktop to go to my server space and it can take up to a minute to connect to the server..
I have been unable to find any references on how to best automate certain "tasks" in Lion so that I can do the following:Â
create predefined DNS names based upon the clients domain name create predefnined web address based upon the just created DNSÂ
For example.... We have the customer "Sammy's Flower Garden" and his domain is "sammysflowergarden.com". At the command line, I would type:
$ clientsetup sammysflowergarden.com This would then create a base folder structure (this part has already been written)ClientDomains    -    S         -    sammysflowergarden.com              -    production              -    staging              -    archive              -    design                   -    template    Â
From what I have read, alot of modifications outside of the Lion serveradmin tooling can result in some rather unusual if not nasty behaviour. If this is true, then I would assume that I could not just write out to a file in /var/named/ and have it automaticly picked up by the server? The same for the apache instance? I still want to be able to use the GUI interface when needed. Â
I have MAC OS X 10.7.3 After joined to Windows Domain 2008 R2 and reboot system - i have not items, where is i must enter domain credentials.But, if i login as local user, and logoff - i have item for entering domain credentials.Why this item not show me after restart? How i can fixed it?
I'm trying to setup a Lion Server as an internet server - not as a web server - I need access to a different port. When I use the Server UI to go to Web, I can select to edit my domain name but then in the edit window, the Domain Name field is blank, and I can't change anything such as the port, SSL Cert, etc. As best I can tell, I have the DNS setup but I'm not sure I've done it correctly. I can add a second domain name and can edit the details for that. I'd hoped I could delete the first one or swap them but no luck. I can't access the domain name from outside the LAN but it may have just not propagated yet. I can access the IP address and do see the default home page.
we have a mac server running and have a windows based (XP) machine logging on to the domain. is there a way to enable offline files on the mac server so that a copy is saved on the windows machine and when the user relogs on to the domain the files get syncd?
i've setted up my mini server as "server.domain.private"because i don't want it to be published on the internet by default, i want to have control on wich webapp is published.my main goal is to have a new Vhosts wich is serving only the webapps i need to be running and ,why not, hosting multiple VhostS enabling just some (or one) webapps each [url]). in other words: i want control on what is published where and how in order to publish Profile Manager i did: - created a new virtual host on the web service called "server.public-domain.com"- enabled the webapp on that Vhost from terminal as found in: [url] using this command "webappctl start [url]"- restarted the whole server but this seems not to work as expected.. should it ??? after some dirty work on the apache config (copy/paste from the original vHost of some "proxypass" and "balancemembers" and "include" regarding devicemngmt) i got it to ask me for password when browsed from the outside world, BUT after login it will redirect my browser to "server.domain.private" wich is obviously not working from outside.Â
Info: Lion Server, Mac OS X (10.7.3), profile manager / ical server / ios
When a user logs in, or tries to, it brings up Kerberos Agent and asks for a password. Anything you enter results in taking you back to the login screen? How do I disable this - all macs are running off of a Panther Server for login options.
After updating to osx Lion I've been having trouble with a dialog box wanting me to enter my Kerberos user name and password. I have no idea why this happens and what user name / password it is asking for, I just hit cancel and everything else seems to work fine. But the dialog box keeps popping up again and again, it is pretty annoying. Can anyone tell me how to turn it off?
I closed the terminal window that I entered the command into but from what I recall I typed: chmod 444 I may have put in ~/Library/Preferences or I may not have, I did push enter before finishing the line though Now when I try to set it back to not showing hidden files I get this: [URL:...] Could not write domain com.apple.finder; exiting Anyone know how I can undo whatever it is I have done?
Students cannot log in to AD system from Mac clients Clients were functioning okay. I discovered some file permission problems. Some student folders were receiving inherited permissions allowing other students access to other students' folders. I corrected the permissions. The student folders are located here: \SERVERstudentsgradyearstudent name. Students have transverse folder permissions to students and grad year. Students have modify permissions to their own folder. Windows clients work. Mac clients, where the student has logged in before, appear to be logging in, but then fail, returning to a login screen. If the student has never logged into that Mac before they are shook off. It appears that the permissions required for the Macs to write to the student folders are now incorrect. But I cannot find information on how permissions should be set for home folders residing on a Windows server. Also, I am fairly new at OS X administration (3 months) and have not discovered what log files to view to analyze the problem.
I have a new 27" i7 iMac with OSX 10.6.4 and need to connect it to our work place network that runs a Windows 2003 Domain Controller etc. I've never touch an Apple/iMac before and I don't know much of anything about them. I'll tell you this much, I LIKE THIS MACHINE! WOW! I really like it! So I'm pretty sure I have it on the network... maybe. But the biggest problem I have is when I log on as the user (and it indicates "Network" under the user name), I can see the network resources, the user folder is available down on the Dock but when I make changes to the Desktop, Dock etc. they don't save when I log out and log back in. So I hope someone here can help point me in the right direction. I have done a lot of Google and other forum search but I'm not really finding my answer.
i have a machine in a workgroup called 21. the machine name is icey.i have a domain called avery. i am able to access files on the domain from icey but when i try to connect to a printer it says i dont have sufficient access. the printer in question is a resource on a machine called marble. and the printer itself is called new_printer and yes its being shared. actually i cannot connect to any printers on the domain from icey.
everyone on the domain can access the all printers however no one from 21 can connect to it. it was necessary for me to build 21 but it is still important for 21 to be able to use avery resources. is there any way i can get this to connect?
I am new to the use of Mac (and to the "administration" of computers in general).
I need to run some program that uses the domain name for the license.
When I checked System Preferences > Sharing > Remote login on,
There is a message saying "To log in to this computer remotely type "ssh name@xxx.XXXXXX.XX".
Now, in order to my program to run, I need to change the characters in capital letters (from the domain name) to lowercase. ie. I would like to see a message of the sort "To log in to this computer remotely type "ssh name@xxx.xxxxx.xx".
Is this possible? How can I change the domain name?
I have just bought a personal domain through godaddy - [URL]- to use with my almost complete mobileme site. With Safari everything seems to be fine - type in the domain with or without the 'www' and you arrive at the right place. But with every other browser I've tried (Chrome, Firefox, Flock and Camino) only [URL] version works. Enter the url without the www and you end up at [URL] could someone let me know what I've done wrong? I've tried clearing the cache in all the browsers but that's had no effect.
I created my account username om my Mac ( OSX 10.6.2 ) long before I created my website. If we take it that my user account name happens to be 'myname' and my website happens to be [URL]. I hadn't noticed it was a problem until the other day. I changed the site base ref to work from [URL] away from {URL]. The problem is on my Mac, the address [URL] is referring to the local web server, ie pre installed Apache and library/webserver/documents not the actual web address. If Web server is switched off via the sharing control panels - the address returns a google not found page? which seems very odd.
It will also do this from any user account - identical results, so I know the Mac has reserved the name in some way. I don't want to rename my user account. I cant see my own website on my Mac which is very frustrating, as my website root is forcing all traffic to [URL] ( which is what I want of course ) and not [URL]. I have to use Parallels with a version of Windows to see the site properly.
I am creating my website. I purchased a domain name from godaddy. Then I set up a MobileMe account to host using iWeb. But I am having trouble forwarding my domain name to my MobileMe account. Also from my MobileMe account the test connection failed when I try to publish it to my domain name.