Joining Kerberos Realm from a distance

Similar Messages

• How do you use an external MIT Kerberos realm for authentication in 10.4?

  Does anyone have experience with OS X Server 10.4.x Open Directory and using a "third-party" KDCs for authentication?
  I have four 10.4.5 XServes that form a SAN (Xsan). I am using a common Open Directory domain that consists of about 100 users to manage access to the SAN file space. I have one of the servers set up as OD master and a second as a failover.
  My university has a kerberos realm that includes all university staff and students. I would like to use that KDC for authentication, not create my own KDC on the OD Master.
  The SAN is only being used to support network file services, not as work stations. The users are going to mount file space on their local machines through AFP, Samba, or via ssh at the command line.
  All of the users' short names are identical to their principle names in the University kerberos realm.
  All of the Apple documentation assumes that in the OD Master will be the KDC for the OD, and part of the setup involves starting up the Kerberos KDC on the OD master system. There is mention of using any MIT Kerberos KDC, but I cannot for the life of me find where that is documented.
  I have tried using the Server Admin interface and the "Join Kerberos . . . " tool, but when I enter the principle and password, the realm name and the DNS of the KDC it always fails with "error creating the keytab file."
  I have also tried just putting a valid edu.mit.kerberos file /Library/ Preferences and creating a keytab file in the realm I want to join, and putting that at /etc/krb5.keytab in each of the servers in OD domain, but that doesn't seem to work, either.
  Has anyone else been successful doing this with OS X Server 10.4.x?

  Leland,
  Thanks for your suggestions. I need a little more
  guidance though. Can you explain how to do step one?
  1) on your OD Master, using workgroup manager edit
  the KerberosClient record and add the correct kdc
  info to the XMLPlist attribute.
  Is this done on the "Inspector" tab of the Work Group
  manager for the user record for the principle that is
  in the KDC? Exactly which key value pair do I need to
  edit?
  No, use the "Inspector" tab to look at config records, you will find the KerberosClient & KerberosKDC records in that list.
  Select the XMLPlist attribute and edit it.
  Look for the realms dictionary and either replace the existing entry with the correct realm info or add a new entry for the realm.
  The important keys are KADM_List & KDC_List.
  You should also look at the domain_realm dictionary and make sure that
  also has the correct info.
  Look at the kerberos admin guide at
  <http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4.3/doc/krb5-admin/krb5.conf.ht ml#krb5.conf>
  for an idea of what the sections mean.
  2) from the command line on a server run (as
  root):
  sso_util configure -r FOO.EDU -a kdcadmin -p
  kdcadmin_pw -v 4 all
  I would do this on each server in the OD, correct?
  yes, this step creates the service principals for the servers in the kdc, exports the info to the local keytab, and configures the services to use kerberos (so that they know their service principals)
  you might need to modify the
  AuthenticationAuthority
  entry for each user to point at the proper realm.
  Is this also done in the "Inspector" tab for each
  user's record in Work Group Manager?
  yes
  Thanks again for the suggestions.
  Glad to be able to help
  - Leland
  DP G4   Mac OS X (10.4.2)  

• "Join Kerberos"

  Hi, I am trying to Join Kerberos in Open Directory in Server Admin. On this machine (Xserve running 10.4.11 server), I went to server admin, open directory, entered the information to "bind now" to Active Directory, and all 5 of the steps were successful. Then it suggests (or just gives me info on how to) Join Kerberos in the Open Directory window in server admin. There is a button in the Open Directory window that says Join Kerberos. I can't seem to get this to work properly, not sure what info to put in the boxes that appear. I am assuming that you enter the local admin username, local admin password, for realm example.domain.com and for the last field, the active directory machine name. I have bound and unbound the machine many times to get the Join Kerberos button to re-appear -- the button disappears! The main problem is what is happening in Workgroup Manager.
  When I go to Workgroup Manager and see my active directory users just fine...sometimes. Sometimes it shows that it is local only. I close Workgroup Manager and go back in, and it pulls the users up in Active Directory. In Workgroup Manager, it shows "not authenticated" always, even when I can see the Active Directory users!
  Any idea where I can find a concise document or list of instructions? It's a very simple setup really. Just want to have mac and windows clients connect to the mac shares with their active directory username and passwords.

  Hi
  You use the account details used in joining the Server to the Active Directory with the Active Directory plug-in in Directory Access. This would be an account name and password that has authority for the AD Domain. Typically the AD admin account. When you click the Join Kerberos button use those account details. OSX Server's system admin account and diradmin account will have no authority over a Kerberos Realm that is elsewhere.
  What is useful - sometimes - is before you do any of this create a diradmin account on the AD Server itself and give it the same privileges as the default AD admin account. This way when you join OD to AD, promote to OD Master and Kerberize the server the same account information is consistently used.
  Once all this happens you can use the same account information to toggle between the two LDAP nodes. The /Active Directory/All Domains node and the /LDAPv3/127.0.0.1 node. From a personal point of view I prefer to use WGM and SA on a client machine and have two WGM windows open, one for each node.
  As the last post has already said DNS is absolutely vital to all of this working correctly. By DNS I mean what is configured on the AD. Too often - sadly - I find an AD environment where the system admin swears 'nothing wrong with my AD mate' only to find (a) the AD can't resolve its name to its IP address OR - and you will like this - no Reverse Zone has been configured. Its kind of interesting watching the play of emotions come across the admins face when the built in nslookup on the AD proves how wrong it all is. If its not DNS then it will be sloppily organized OUs.
  Microsoft make available a really good paper that MS Certified administrators should be reading when having to accommodate macintosh clients into AD:
  http://blogs.msdn.com/sbsdocsteam/archive/2004/11/24/269407.aspx
  Hope this helps, Tony

• Windows 8 - user login and Kerberos Realm problems.

  Hi,
  Just installed Windows 8 Enterprise x64 from our MDT into our production enviroment for some final testing. I have done this with both Consumer and the Release Preview just to make sure our infrastructure can support user that want to run Windows 8 (Win
  7 Enterprise will still be the default OS for our client desktops).
  The problem I reported here with the Consumer Preview
  http://social.technet.microsoft.com/Forums/en-US/W8ITProPreRel/thread/069f59be-b89c-4005-8cd2-ff5fd756825a is still alive and kicking.
  Logon after fresh reboot. (Windows 8)
  Username: XWYZ
  Password: *********
  Sign in to: "OURKERBEROSREALM.SE"
  We authenticate all our users with our Kerberos Realm and in our AD's all user passwords are random dummy placeholders, and are linked to the Kerberos realm.
  When a user lock their computer, or put it in sleep mode, they should see this at their login.
  XWYZ (their full name)
  "OURKERBEROSREALM.SE\XWYZ(their username)
  Locked
  Password: ********
  But it does not show this… it shows:
  XWYZ (their full name)
  WINDOWS DOMAIN NAME\XWYZ(their username)
  Locked
  Password: ********
  This meens that when they want to unlock their desktop, or login after sleep, it will try and authenticate their login on the domain AD and not the Kerberos realm. Howver if you choose to go back and select "other user" it defaults back to using "OURKERBEROSREALM.se"
  as "Sign in to:" domain.
  This worked flawlessly in XP, Vista and Windows 7, but not in Windows 8. Not having our Kerberos realm as default login in every scenario is kind of a bummer.

  I had some brief time looking into this, and my awesome workbuddy found that you can poke about the keys found in
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\SessionData\1
  With the LastLoggedONSAMUser and LastLoggedOnUser values I changed from from "domain"\username to "kerberosrealm"\user, and when locking my computer or restating, I now have no need to choose "other user" every time I want to login again.
  Atleast somewhere to start.

• Local Kerberos realm while bound to AD

  I installed 10.5.7 on a year old Xserve (on a freshly initialized disk) and set it up as a stand alone server. Following Bombich's guide, I then bound it to our local AD domain and made sure AD accounts could log in. This went just fine. I then promoted it to a OD Master. This also appeared to go fine. But according to the Open Directory overview in Server Admin, kerberos is still running and the kerberos realm is the FQDN of my Xserve. It was my impression that when a server, already bound to AD, was made an OD Master the KDC from the local AD domain was used. Somehow the system "just knows" to do that.
  klist shows the proper AD KDC. Any tickets that get issued reflect the proper AD KDC, I don't see my Xserve realm listed anywhere. I've run dsconfigad -enableSSO and it appears to be successful. When I run:
  defaults read /Library/Preferences/com.apple.AppleFileServer kerberosPrincipal
  it returns:
  afpserver/[email protected]
  But the results from klist -ke confuse me. I see 3 entries per service in 2 distinct sections. the first section of entries look like, for example:
  afpserver/[email protected]
  but then there's another section with 3 entries per service that read:
  afpserver/[email protected]
  So does this mean my Xserve is actually functioning as a kerberos server? Is Server Admin correct? Why would it report that kerberos is running and my server is in it's own kerberos realm if it wasn't? Do I need to unbind, revert back to standalone and start over?
  Apologies for the long post. Hopefully this made sense.
  Thanks,
  Phen

  This is normal behavior. You should bind some Macs to AD and OD and then setup some WGM groups to test things out. From what you reported, you should be okay.

• Chaning the OD Domain name (kerberos realm)

  Hey folks,
  Currently our OD domain is nsnet.com - we don't own that publically, but we use it internally. ... in retrospect, not a wise move.
  It hasn't created any DNS issues, or any real problems for that matter ... except one. Its very very hard to get a commercial SSL certificate when you don't own the email address for the domain you want to secure.
  I've been toying with the idea of changing the domain and kerberos realm to a domain name that I can buy...but I am curious how (if it all) I can change the OD Domain and Realm in Leopard server?
  One thought is to blow away the OD domain and start from scratch - we are only talking about 15 macs, a few linux boxes and about 5 users ... but if I can change it easily then I'd like to try that first.
  thanks!
  -N

  Hi
  The Kerberos Realm Name is derived from what is configured in the DNS Service so you would have to change that first. This could have major repercussions (inevitably it always does) if you have any other Service running dependent on DNS; Web, iCal, SUS etc.
  Demotion to Standalone, re-configuring the DNS Service and re-promotion is certainly the way I would go if you have the amount of users you currently have. In a funny way its probably quicker. One avenue you can explore is to change the DNS Service to reflect the change and then issue changeip:
  sudo changeip /LDAPv3/127.0.0.1 oldIPAddress newIPAddress oldHostName newHostname
  man changeip for usage.
  If the IP address is not changing then leave it the same. As an example your server's FQDN could be myserver.mydomain.com yielding a Kerberos Realm of MYSERVER.MYDOMAIN.COM and an IP address of 172.16.16.254, in which case the command would look like this:
  sudo changeip /LDAPv3/127.0.0.1 172.16.16.254 172.16.16.254 myserver.mydomain.com myserver.mynewdomain.com
  You'll be prompted first for the System Admin name and password as well as the Directory Admin name and password (diradmin). A couple of restarts and possibly you might be on track. If this does not work - sometimes it does not - go for demotion and proceed from there.
  Hope this helps, Tony

• Kerberos Realm - OD Master or AD server?

  Hi,
  When implementing a dual directory or golden triangle does it matter which server is the Kerberos Realm? some docs I have read say the OD master kerberos should be stopped and the AD domain handle Kerberos.
  Please advise as I am confused with this.
  OSX server 10.6.7 Mac clients 10.6.7 and 2008 domain
  diradmin and local admin are only users IN OD. all other users are from AD using the AD plugin.
  TIA

  Thanks for the reply. I have inherited a system whereby the OD master is the kerberos realm. What puzzles me is that everything works fine. Ad users log in, get their AD mounted home dir. They also have access to several AFP share points, wiki and blogs work, and macs are locked down using WGM. So I'm interested to learn what you actually achieve by setting AD as the Kerberos realm.
  I have also yet to find a manual or diocumentation that explains the pros and cons, so I would be grateful if you can tell me which manual you are referring to.

• Connect a 10.6 Server to 10.5 Server OD Master? Can't "Join Kerberos..."

  Hello.
  I'm adding a 10.6 Server into a mix of 10.5 Servers. One of the 10.5 Servers is the OD Master. When I first set up the 10.6 Server, when I got to the "Users and Groups" screen, I chose "Connect to another server" and specified the 10.5 OD Master. The next screen, "Directory Service", I choose to NOT set up the machine as an OD Master (since the 10.5 machine is the OD Master).
  Is this correct?
  Once I've booted in to the 10.6 Server and use Server Admin to look at the OD settings, I've set it as "Connected to another directory" and then used Open Directory Utility to connect to the 10.5 OD Master. Then, I click the "Join Kerberos..." button, but can't get past there? When I click the "Join Kerberos..." button, it asks for the following information, which I've entered as follows...
  Administrator Name: <directory admin name of the OD Master>
  Password: <directory admin password for the OD Master>
  Realm Name: xserve001.mydomain.com
  DNS/Bonjour Name of KDC: xserve001
  Is this correct?
  When I click "OK", it quickly flashes "Joining Kerberos", but nothing happens and my only options are "OK" and "Cancel". It doesn't give any errors, etc.
  Any advice would be much appreciated!
  Thanks,
  Kristin.

  Since body else has answered, I'll take a stab at this. Server Admin isn't very good about reporting what happens in some processes like this, so check the logs. Specifically, check slapconfig.log (Server Admin -> Open Directory -> Logs -> Configuration Log).
  If you see something like:
     slapconfig -kerberize
     command: /user/sbin/sso_util info -r /DALPv3/127.0.0.1 -p
     Warning: Kerberos is already configured on this server, use -f to override current settings.
  ... you're probably all set to go, and Server Admin is just failing to remove the Join Kerberos button for some reason. You can double-check this by running the command "sudo klist -ke" on the server; it should list a bunch of service principals like "afpserver/[email protected]" (with a variety of services besides "afpserver") (it'll also list some like "afpserver/LKDC:SHA1.gibberish@LKDC:SHA1.gibberish", but you can ignore these).
  If there's something else in the slapconfig log, or the XSERVE001.MYDOMAIN.COM principals are missing, report back and we'll see what we can figure out.

• How can i log out from my social media from a distance because my iPod got stolen and i don't want anyone hacking my accounts

  how do i log out of my social media from a distance because my ipod got stolen and i dont want any one hacking in to my account??

  Change your password.

• Can't Join Windows Intune from Windows 8.1

  I have an intune account for my company and we used to have Intune Endpoint Protection on Windows 8, I have installed Windows 8.1 and I found out that I cant install the client but I have to join a workplace from the PC Settings, everytime I try to enter
  my e-mail address it gives me this message:
  Confirm that you are using the correct sign-in info, and that your workplace use this feature. Also, the connection to your workplace might not be working right now. Please wait and try again.
  I can sign in to the web without any problem, is there anybody that has an idea of how this work on Windows 8.1?

  Hi,
  You can install the client on Windows 8.1 or use the "Turn On" feature under networking.  That feature uses the Mobile Device Management feature so you'll need to have your management authority for mobile devices set to Windows Intune.  You'll
  also need to have a DNS Alias setup for your public domain to ensure proper redirection to our enrollment server.
  If you want to use the client you'll need to download it from the Admin Console as we do not provide it in the Company Portal website for 8.1
  Thanks.
  Jon L. - MSFT - This posting is provided "AS IS" with no warranties and confers no rights.

• How do you join two tables from different Oracle schemas using a subquery

  I am trying to join two tables from different Oracle schemas using a subquery. I can extract data from each of the tables without a problem. However, when I combine the select statements using a subquery I get the Oracle error *'ORA-00936: missing expression'*. Since each SELECT statement executes on its own without error I don't understand what is missing. The result set I am trying to get is to match up the LINE_ID from PDTABLE_12_1 in schema DD_12809 with the MAT_DESCRIPTION from table PDTABLE_201 in schema RA_12809.
  The query is as follows:
  sql = "SELECT [DD_12809].[PDTABLE_12_1].LINE_ID FROM [DD_12809].[PDTABLE_12_1] JOIN " _
  + "(SELECT [RA_12809].[PDTABLE_201].MAT_DESCRIPTION " _
  + "FROM [RA_12809].[PDTABLE_201]) AS FAB " _
  + "ON [DD_12809].[PDTABLE_12_1].PIPING_MATER_CLASS = FAB.PIPING_MATER_CLASS"
  The format of the query is copied from a SQL programming manual.
  I also tried executing the query using a straight JOIN on the two tables but got the same results. Any insight would be helpful. Thanks!
  Edited by: user11338343 on Oct 19, 2009 6:55 AM

  I believe you are receiving the error because you are trying to JOIN on a column that doesn't exist. For example you are trying to join on FAB.PIPING_MATER_CLASS but that column does not exist in the subquery.
  If you want to do a straight join without a subquery you could do the following
  SELECT  DD_12809.PDTABLE_12_1.LINE_ID
  ,       FAB.MAT_DESCRIPTION
  FROM    DD_12809.PDTABLE_12_1
  JOIN    RA_12809.PDTABLE_201    AS FAB ON DD_12809.PDTABLE_12_1.PIPING_MATER_CLASS = FAB.PIPING_MATER_CLASS  HTH!

• How to access "Alternative Realm" or "Custom Realm" from components like Servlet ?

  Hello,
  Says if I have alternative realm or my custom realm which implement
  "ManageableRealm" interface. How can I access the realm from other
  component, like Servlet or EJB in same WLS ? I tried using code like this
  BasicRealm realm =
  Realm.getRealm("XmlRealm","weblogic","myclass.DebugRealm");
  if (realm != null) {
  Class realmClass = realm.getClass();
  out.println("Realm is " + realmClass.getName());
  Which "myclass.DebugRealm" is classname of my own realm. This realm works
  fine when using for authentication and authorization. But when I run this
  code on servlet, it seems that it doesn't return the realm it created when
  starting WLS, I mean the one that served authentication and authorization.
  But it create a new instance of this class (I knew it 'cos I put debug
  message in its constructor). So how can I get reference to the realm
  instance which is created when starting WLS ?
  Thank you in an advance,
  Siros

  Hello again,
  Sorry to say that now I've got the way. I post here again for someone who
  may face that same problem.
  So strange that, I just changed the realm name in below code to "custom" and
  then it works !! My realm is extended from "AbstractListableRealm" class and
  I think I named my realm as "XmlRealm" in it constructor by call
  super("XmlRealm");
  But seems like its "getName()" method always return "custom", so in servlet
  code, it' rather be.
  BasicRealm realm = Realm.getRealm("custom");
  if (realm != null) {
  Class realmClass = realm.getClass();
  out.println("Realm is " + realmClass.getName());
  This works fine and no instance of realm is created. Anyway I saw that
  constructor of "AbstractListableRealm" take String argument for "name" of
  the realm. So why it's always "custom" ???
  Comments are welcome,
  Siros
  "Siros Supavita" <[email protected]> wrote in message
  news:[email protected]..
  Hello,
  Says if I have alternative realm or my custom realm which implement
  "ManageableRealm" interface. How can I access the realm from other
  component, like Servlet or EJB in same WLS ? I tried using code like this
  BasicRealm realm =
  Realm.getRealm("XmlRealm","weblogic","myclass.DebugRealm");
  if (realm != null) {
  Class realmClass = realm.getClass();
  out.println("Realm is " + realmClass.getName());
  Which "myclass.DebugRealm" is classname of my own realm. This realm works
  fine when using for authentication and authorization. But when I run this
  code on servlet, it seems that it doesn't return the realm it created when
  starting WLS, I mean the one that served authentication and authorization.
  But it create a new instance of this class (I knew it 'cos I put debug
  message in its constructor). So how can I get reference to the realm
  instance which is created when starting WLS ?
  Thank you in an advance,
  Siros

• Could I connect the lap top to TV and watch movies and control the lap top from a distance?

  could I connect the Apple lap top to my TV to watch movies and control the lap top from a distance just like the Window lap top???

  Check out Apple TV.  It is a wireless interface to your TV.  It may be the best $99 investment you can make for entertainment on your TV.  It simply requires a standard $10 HDMI cable, not supplied with the Apple TV unit.  Through Apple TV, with Mavericks, you can use the TV as a standard OS X monitor or for entertainment.  Also check out the Beamer software to stream videos to it from your Mac.
  Apple TV requires a Mid 2011 or newer MacBook Air with OS X Lion v10.7.5 or later.
  If your MBA is not new enough you can use the AirParrot application but the video quality is not as high as with a newer MBA.  It also streams from iOS devices.
  http://www.apple.com/appletv/
  http://www.apple.com/appletv/airplay/
  http://store.apple.com/us/ipod/ipod-accessories/apple-tv
  http://www.apple.com/osx/whats-new/features.html#displays
  http://www.amazon.com/AmazonBasics-High-Speed-HDMI-Cable-Meters/dp/B003L1ZYYM/re f=sr_1_1?ie=UTF8&qid=1385514116&sr=8-1&keywords=hdmi+cable
  AirPlay is available on all devices running iOS 4.3 or later. Some features require the latest software. Second-generation Apple TV or later required.
  AirPlay Mirroring is available with iPhone 4s or later; iPad 2 or later; iPad mini; iPod touch (5th generation); and iMac (Mid 2011 or newer), Mac mini (Mid 2011 or newer), MacBook Air (Mid 2011 or newer), MacBook Pro (Early 2011 or newer), and Mac Pro (Late 2013) with OS X Mountain Lion or later.

• No Easy Way to Join on Tables from Different Schemas

  Hi,
  The company policy does not allow to join on tables from different schemas or use db links...
  I'm tasked to come up with a Perl script that does exactly that - allows for the SELECT statement to do several joins on 3 different schemas. In addition 1 of the schemas is on the different host altogether.
  Upping the privileges for my user and allowing db links is not an option...Can someone, please help me to understand on a conceptual level how would I use Perl and what logic would it have and what would it (perl) do?
  Thank you,

  Court in the wrong job... ;)
  It's like a librarian who is a hard rock artist maintaining the silence in the premises. ;)
  My dear friend, i don't think this is the right place for your requirement. This is the PL/SQL forum. If you have any problem related PL/SQL or SQL you can place that here.
  Regards.
  Satyaki De.

• How can i join two libraries from two different users

  how can i join two libraries from two different users in the same computer?

  I should add that you can turn on SHARING where each user can see the other user's library and play stuff out of it. But they can not import those tracks to their own library or put them into their own playlists or burn CDs of the shared library.
  Also note, to do this you need to have the fast switching option enabled with the accounts so both can be running at the same time and both must have iTunes running at the same time.
  Patrick