PDA

View Full Version : Client can't log to Open Directory master




Umbre
Aug 14, 2008, 10:57 AM
Hi,

I'm setting up a new network and followed the doc to do so as i'm not a specialist.

What I have and which (apparently) works is :

Server1
an internal DNS service - verified with changeip
a DHCP service

Server2
Open Directory master - with kerberos running, authentified binding not activated
afp - share point partaged with automount and group authorisation given

Server3
afp - share point partaged with automount and group authorisation given

In WGM I created two test users,
"U1" member of "grouptest" with home folders located on server2
"U2" member of "grouptest2" with home folders located on server3

I manually created the groups folders. First thing to note, the users home folder did not get created after I clicked the "create start" button in WGM. I suspected it is because I miswrote the path for the home folder in WGM, although I tried to copy the exemple given. E.g. I wrote : afp://FQDN/Hard disk name/folder name.

Client configuration
Regarding client config, I entered server2 FQDN in directory utilitary, it states the server responds normally. I was not able to bind, however, and I ignore if its necessary.

The problem
When I try to log using the client's login window, neither test user (u1,u2) succeed. I get an error message I cannot enter for the moment because an error occured.
On server2, the kerberos app shows it does not give any tickets.

I'd be grateful for any thoughts as I am not seeing which direction to follow.



crackpip
Aug 15, 2008, 10:23 AM
I am not an expert at this, but I've been testing it out on a small network at home, including OpenDirectory authentication across multiple machines with networked home directories and portable home directories.

The first thing is that when setting up the automount, you need to make sure it is enabled for guest access.

If you use a different drive or partition for home directories under Leopard, the share point URL will be afp://FQDN/Users, but the full path will be in the /Network/Servers directory under the path: '/Network/Servers/FQDN/Volumes/Drive-Name/path-to-users'.

When creating users, of course, make sure they are being added to the LDAP directory, not the local database.

Using Directory.app, you need to at least have the clients set-up to look at the server for authentication. If I remember correctly, you should be able to log on and see your home directory from the client at this point. For Kerberos to work, I think you have to bind the clients to the server. Then create a computer group with the clients and server in it. Finally, you need to add user records to the Kerberos database in OpenDirectory using Server Admin.

I just moved and haven't had time to reset all of the clients, so the last part is a bit fuzzy. I did have most of this working, however.

crackpip

Umbre
Aug 16, 2008, 06:17 AM
At first, thank you for your useful input.
The first thing is that when setting up the automount, you need to make sure it is enabled for guest access.

If you use a different drive or partition for home directories under Leopard, the share point URL will be afp://FQDN/Users, but the full path will be in the /Network/Servers directory under the path: '/Network/Servers/FQDN/Volumes/Drive-Name/path-to-users'.crackpip
Yes I found this out yesterday by trying random attempts.

When creating users, of course, make sure they are being added to the LDAP directory, not the local database.

Using Directory.app, you need to at least have the clients set-up to look at the server for authentication. If I remember correctly, you should be able to log on and see your home directory from the client at this point. For Kerberos to work, I think you have to bind the clients to the server.crackpip
Up to that point it's ok.

Then create a computer group with the clients and server in it. Finally, you need to add user records to the Kerberos database in OpenDirectory using Server Admin.crackpip
Would care to precise what to use for those two points ? For the second one you mentionned server admin but I dont see where we can add user records. Are you refering to the share points authorisations ?

I am now able to log perfectly with users whose home directory is located on the OD master, but when logging with a user whose home directory is located on another afp server, it enters but says the home directory is unreachable or has been moved. I did enter the paths the same way than I did for the main server. I'll double-check everything.

Umbre
Aug 16, 2008, 06:38 AM
OK every test user works now. I simply dishared sharepoints and reshared them.

To sum up the problem was solved by writing correctly the paths for home directories and by adding other afp servers to the kerberos realm.

Amazing how we get better answers here than on the apple forums ;)

Thank you and greetings !