PDA

View Full Version : Help with Mac OS Server and Open Directory




thecow
Sep 11, 2007, 08:29 PM
I am a student in high school and in charge of a small mac lab with about 25 eMacs as a sort of internship with the yearbook/school newspaper teachers.
I am trying to set up an Open Directory server so that everyone can have secure storage for their files rather than everyone dumping them on one folder on the server. I have set up DNS, and the name for the server does resolve correctly to its IP.

server:~ admin$ hostname
server.dordai.com
server:~ admin$ host server.dordai.com
server.dordai.com has address 192.168.1.100
server:~ admin$ host 192.168.1.100
100.1.168.192.in-addr.arpa domain name pointer server.dordai.com.

I can also get to the OD server from terminal on the client using dscl

matthew-dordais-computer:~ mattdordai$ dscl localhost
cd LDAPv3
/LDAPv3 > ls
server.dordai.com
/LDAPv3 > cd server.dordai.com
/LDAPv3/server.dordai.com > ls
AccessControls
AutoServerSetup
CertificateAuthorities
ComputerLists
Computers
Config
FileMakerServers
Groups
Locations
Machines
Mounts
Neighborhoods
People
PresetComputerLists
PresetGroups
PresetUsers
Printers
Users
/LDAPv3/server.dordai.com > cd Users
/LDAPv3/server.dordai.com/Users > ls
diradmin
root
test
vpn_4ab158a31ea4

If I change the user account "test" to use a Crypt Password, I can log in fine but everything I have read about crypt passwords stresses that they are insecure and should be avoided. If I set the test account to use an Open Directory password, the password is rejected when I try to log in from the client.

The server is configured as an Open Directory Master and Lookup Server, LDAP Server, Password Server, and Kerberos are all running.

From what I've read about OD, it seems that a crypt pw does not require kerberos but an open directoy one does. Is this correct and what could be wrong with the way kerberos is configured?

If I can't figure this out, is it really ok to just use crypt passwords for all of the users? I'm willing to bet that there are at least a few fellow students that would love to wreck havoc with everyone else's files and it's been done before.



MacsRgr8
Sep 13, 2007, 05:11 PM
It seems Kerberos is not working properly then?

Just for my info:

If I install an OD Master I follow the following procedure so that I know it should work:
- Install Mac OS X Server.
- Configure as "stand alone" (manual IP address).
- Do all system updates.
- Do fsck, disk permissions check, and periodic daily, weekly monthly.
- Make sure IP address of server has DNS entry with PTR, of not:
- - - setup DNS on the Mac OS X Server with forwarders to eligible DNS on network (setup local network settings DNS-Server to this server, and reboot).

- Only if all above are done to your satisfaction...:

- Setup OD master.
- All info concerning OD and Kerberos should be related to your OS X Server's DNS name!
- Reboot.
- Setup AFP.. the rest.. etc.. bla bla.

My question is, are you sure everything is setup to your satisfaction?
Looking at your settings DNS and PTR seems good, but are sure the OD search base etc. are all correctly DNS related?

thecow
Sep 13, 2007, 07:38 PM
That could be it, but I just noticed yesterday that it asked for a kerberos password to connect to the server with afp and that worked fine. I've never set up a DNS before, but it does seem like it is working correctly. I have a book at school with tutorials on how to use mac os server and I just followed the one about DNS. I know that there is a DNS for the whole school, bcps.org but I don't exactly have access to it and the way the county runs things it could be a royal pain to get my server added. They are phasing out all macs anyway and probably don't want anything to do with it.

I've also tried a smaller setup at home with mac os server and I'm having the same issue and there is no other DNS on my home network. It seems odd that all of the tutorials I've read about this say nothing about this issue but I've managed to produce it twice and I have no idea why.

Pardon my n00bness, but what exactly do you mean by "OD search base etc. are all correctly DNS related?" Is that having /LDAPv3/server.dordai.com as a search path in the LDAP settings Directoy Access utility?

Thank you so much for your help.

v8media
Jun 2, 2008, 04:42 PM
Make sure IP address of server has DNS entry with PTR, of not:

What is PTR? A program?

MacsRgr8
Jun 2, 2008, 04:55 PM
What is PTR? A program?

PTR = "Pointer", i.e. reverse DNS lookup.

Example:

Forwared DNS lookup (done in Terminal.app):
macpro:~ user$ nslookup xserve.domain.com
Server: 192.168.9.254
Address: 192.168.9.254#53

Name: xserve.domain.com
Address: 192.168.9.11

Reverse DNS lookup (= PTR record):
macpro:~ user$ nslookup 192.168.9.11
Server: 192.168.9.254
Address: 192.168.9.254#53

11.9.168.192.in-addr.arpa name = xserve.domain.com.

In this example, "xserve.domain.com" has IP address 192.168.9.11
The DNS server which has been asked this query is 192.168.9.254.

The PTR record makes sure the IP address 192.168.9.11 has been given a name in the nameserver.