Help with Mac OS Server and Open Directory

Discussion in 'Mac OS X Server, Xserve, and Networking' started by thecow, Sep 11, 2007.

  1. macrumors 6502

    Joined:
    Nov 24, 2003
    Location:
    Timonium MD
    #1
    I am a student in high school and in charge of a small mac lab with about 25 eMacs as a sort of internship with the yearbook/school newspaper teachers.
    I am trying to set up an Open Directory server so that everyone can have secure storage for their files rather than everyone dumping them on one folder on the server. I have set up DNS, and the name for the server does resolve correctly to its IP.

    Code:
    server:~ admin$ hostname
    server.dordai.com
    server:~ admin$ host server.dordai.com
    server.dordai.com has address 192.168.1.100
    server:~ admin$ host 192.168.1.100
    100.1.168.192.in-addr.arpa domain name pointer server.dordai.com.
    
    I can also get to the OD server from terminal on the client using dscl

    Code:
    matthew-dordais-computer:~ mattdordai$ dscl localhost
    cd LDAPv3
    /LDAPv3 > ls
    server.dordai.com
    /LDAPv3 > cd server.dordai.com
    /LDAPv3/server.dordai.com > ls
    AccessControls
    AutoServerSetup
    CertificateAuthorities
    ComputerLists
    Computers
    Config
    FileMakerServers
    Groups
    Locations
    Machines
    Mounts
    Neighborhoods
    People
    PresetComputerLists
    PresetGroups
    PresetUsers
    Printers
    Users
    /LDAPv3/server.dordai.com > cd Users
    /LDAPv3/server.dordai.com/Users > ls
    diradmin
    root
    test
    vpn_4ab158a31ea4
    If I change the user account "test" to use a Crypt Password, I can log in fine but everything I have read about crypt passwords stresses that they are insecure and should be avoided. If I set the test account to use an Open Directory password, the password is rejected when I try to log in from the client.

    The server is configured as an Open Directory Master and Lookup Server, LDAP Server, Password Server, and Kerberos are all running.

    From what I've read about OD, it seems that a crypt pw does not require kerberos but an open directoy one does. Is this correct and what could be wrong with the way kerberos is configured?

    If I can't figure this out, is it really ok to just use crypt passwords for all of the users? I'm willing to bet that there are at least a few fellow students that would love to wreck havoc with everyone else's files and it's been done before.
     
  2. macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #2
    It seems Kerberos is not working properly then?

    Just for my info:

    If I install an OD Master I follow the following procedure so that I know it should work:
    - Install Mac OS X Server.
    - Configure as "stand alone" (manual IP address).
    - Do all system updates.
    - Do fsck, disk permissions check, and periodic daily, weekly monthly.
    - Make sure IP address of server has DNS entry with PTR, of not:
    - - - setup DNS on the Mac OS X Server with forwarders to eligible DNS on network (setup local network settings DNS-Server to this server, and reboot).

    - Only if all above are done to your satisfaction...:

    - Setup OD master.
    - All info concerning OD and Kerberos should be related to your OS X Server's DNS name!
    - Reboot.
    - Setup AFP.. the rest.. etc.. bla bla.

    My question is, are you sure everything is setup to your satisfaction?
    Looking at your settings DNS and PTR seems good, but are sure the OD search base etc. are all correctly DNS related?
     
  3. thread starter macrumors 6502

    Joined:
    Nov 24, 2003
    Location:
    Timonium MD
    #3
    That could be it, but I just noticed yesterday that it asked for a kerberos password to connect to the server with afp and that worked fine. I've never set up a DNS before, but it does seem like it is working correctly. I have a book at school with tutorials on how to use mac os server and I just followed the one about DNS. I know that there is a DNS for the whole school, bcps.org but I don't exactly have access to it and the way the county runs things it could be a royal pain to get my server added. They are phasing out all macs anyway and probably don't want anything to do with it.

    I've also tried a smaller setup at home with mac os server and I'm having the same issue and there is no other DNS on my home network. It seems odd that all of the tutorials I've read about this say nothing about this issue but I've managed to produce it twice and I have no idea why.

    Pardon my n00bness, but what exactly do you mean by "OD search base etc. are all correctly DNS related?" Is that having /LDAPv3/server.dordai.com as a search path in the LDAP settings Directoy Access utility?

    Thank you so much for your help.
     
  4. macrumors newbie

    v8media

    Joined:
    Nov 15, 2007
    Location:
    Seattle, WA
    #4
    What is PTR? A program?
     
  5. macrumors 604

    MacsRgr8

    Joined:
    Sep 8, 2002
    Location:
    The Netherlands
    #5
    PTR = "Pointer", i.e. reverse DNS lookup.

    Example:

    Forwared DNS lookup (done in Terminal.app):
    macpro:~ user$ nslookup xserve.domain.com
    Server: 192.168.9.254
    Address: 192.168.9.254#53

    Name: xserve.domain.com
    Address: 192.168.9.11

    Reverse DNS lookup (= PTR record):
    macpro:~ user$ nslookup 192.168.9.11
    Server: 192.168.9.254
    Address: 192.168.9.254#53

    11.9.168.192.in-addr.arpa name = xserve.domain.com.

    In this example, "xserve.domain.com" has IP address 192.168.9.11
    The DNS server which has been asked this query is 192.168.9.254.

    The PTR record makes sure the IP address 192.168.9.11 has been given a name in the nameserver.
     

Share This Page