{"id":43,"date":"2008-07-04T14:10:45","date_gmt":"2008-07-04T21:10:45","guid":{"rendered":"http:\/\/www.dreness.com\/blog\/archives\/43"},"modified":"2019-12-07T17:10:32","modified_gmt":"2019-12-08T00:10:32","slug":"applied-kerberos-troubleshooting","status":"publish","type":"post","link":"https:\/\/dreness.com\/blog\/archives\/43","title":{"rendered":"Applied Kerberos troubleshooting"},"content":{"rendered":"

The following is an IRC transcript taken from #afp548, irc.freenode.net. It chronicles the troubleshooting process of a fairly well-hidden edge case of Kerberos configuration in Mac OS X Server.<\/p>\n

pastebin.ca was used to relay larger hunks of textual information; I’ve made local copies of the results since the pastebin pages expire in 1 month. Pastebin displays line numbers, and those numbers are used here to refer to specific portions of text… however, pastebin doesn’t seem to allow users to copy the text including line numbers, so I added those myself (awk ‘{print NR “. “$0}’ file)<\/p>\n

16:44 <@dre^> re the kerberos question: still have to use ‘connect to’ to get kerberos
\n16:44 <@dre^> which is weird, because the browsing method is how you get kerberos for the LKDC realms, heh
\n16:44 <@dre^> at least for things like screen sharing
\n16:51 <@dre^> wow, \/dev\/random is slow
\n16:51 <@dre^> erps, ww
\n17:34 -!- ideopathic [n=ideopath@75-56-246-1.lightspeed.brbnca.sbcglobal.net] has joined #afp548
\n17:39 < SpaceBass> dre^, connect to server doesnt use the ticket either
\n17:41 < SpaceBass> and for that matter, screen sharing doesnt seem to consistantly use kerberos either
\n17:41 < SpaceBass> apple really broke things with the whole lkdc implementation
\n17:44 <@dre^> heh
\n17:44 <@dre^> if you can’t get kerberos via connect to, there is some other problem
\n17:44 <@dre^> lkdc works, kerberos works… if configured and used properly ;)
\n17:45 <@dre^> a quick list of things to check regarding kerberized services in general:
\n17:45 <@dre^> * are the client and the service service configured for the same kerberos realm?
\n17:45 <@dre^> * does the client have a valid kerberos principal in the kdc? can the client user kinit at all?
\n17:46 <@dre^> * does the service server have service keytabs in the kdc? if you kadmin –> listprincs on the kdc, do you see afpserver\/hostname@REALM?
\n17:46 <@dre^> * does the service’s configuration know what principal name to use? this is in teh afp preferences in the case of afp server
\n17:48 < SpaceBass> dre^, hard to misconfigure Leopard Server – create the DNS, create the OD domain, join to the domain
\n17:48 < SpaceBass> there’s posts all over the apple forums about it…just though I’d see if anyone had identified a work around
\n17:49 <@dre^> have an example post?
\n17:49 <@dre^> I’ve used kerberos a ton
\n17:49 <@dre^> so I know it’s not always broken all the time
\n17:49 < SpaceBass> kinit works fine, and I get a ticket at login … but I cannot use that ticket via the finder for almost anything … it does work for SSH or mount_afp in the terminal
\n17:50 <@dre^> right, but pls distinguish between finder browsing vs finder connect to
\n17:50 < SpaceBass> ever leopard machine that joins the realm creates 3 enteries for each service … host.fqdn.com host.local and a random serial number for the LKDC \/back to my mac stuff
\n17:51 < SpaceBass> so when you say connect to, do you mean GO menu –> connect to server?
\n17:51 <@dre^> yes
\n17:51 < SpaceBass> and it hasn’t been broken all the time … 10.4 worked flawlessly …
\n17:51 < SpaceBass> ok an in the connect to menu, what is the uri? I’m using afp:\/\/host … I have also tried host.domain.com and host.local
\n17:52 <@dre^> ah, .local…
\n17:52 < SpaceBass> ok, tried that and I get a box asking for user\/pass
\n17:52 <@dre^> are you using .local in your actual DNS \/ realm names?
\n17:52 <@dre^> no. dont use .local unless you are forced to, heh
\n17:53 < SpaceBass> no, I have a private domain …
\n17:53 <@dre^> and yes, it shoudl be afp:\/\/fqdn.goes.here
\n17:53 <@dre^> also verify that afpserver’s auth settings are either “any method” or “kerberos”
\n17:53 < SpaceBass> ok…with afp:\/\/host.domain.com I get 2 different results …somtimes it fails right off the bat, others it asks for user\/pass
\n17:54 <@dre^> so then you check the KDC logs to see what’s going on
\n17:54 <@dre^> but of course you probably don’t have access to those…
\n17:54 < SpaceBass> dre^, I hand checked each plist last night … that occured to me late in the game, and I was impressed to see that they all said any and kerb
\n17:54 <@dre^> which is the crappy part about debugging kerberos
\n17:54 < SpaceBass> the logs? I’m the admin
\n17:54 <@dre^> ok good. check the kdc log
\n17:56 < SpaceBass> ok…logs show me requesting a ticket for host.local
\n17:56 < SpaceBass> but I’m using fqdn and the afp plist shows the host.fqdn.com as the principal to use
\n17:57 < SpaceBass> I dont mind manually adding those principals but that seems broken to me
\n17:57 <@dre^> ok… what are your existing tickets? klist
\n17:57 <@dre^> you should not have to add .local principals
\n17:58 <@dre^> specifically, what’s the realm associated with your existing tickets (if any)
\n17:58 < SpaceBass> right now I just have the krbtgt
\n17:58 <@dre^> but in what realm?
\n17:58 <@dre^> a .local realm or ‘other’?
\n17:59 < SpaceBass> NSNET.cc
\n17:59 <@dre^> ok great
\n17:59 < SpaceBass> my realm
\n17:59 < SpaceBass> krbtgt\/NSNET.CC@NSNET.CC
\n17:59 < SpaceBass> what I’d expect
\n17:59 < SpaceBass> and if I ssh into a linux server I get host\/linux.nsnet.cc@
\n17:59 <@dre^> so the next step woudl probably be to verify the client-side kerberos configuration. get root and take a walk into \/var\/db\/dslocal\/nodes\/Default\/config
\n18:00 <@dre^> ok intersting, so the client-side config is probably correct
\n18:00 <@dre^> is the afp service running on the OD master?
\n18:00 < SpaceBass> dre^, yes, but I dont really have any shares there…mostly on leopard workstations
\n18:01 < SpaceBass> (and a linux box running netatalk, but I don’t expect anyone to help me troubleshoot that)
\n18:01 <@dre^> no problem, just getting the lay of the land… in particular, in that configuration, it’s very unlikely that your afp service would not have the required keytabs
\n18:01 < SpaceBass> in …..\/config … didn’t know about this dir
\n18:01 <@dre^> yes, that config dir is the authoritative spot for such configurations
\n18:01 <@dre^> \/L\/P\/edu.mit.Kerberos is an externalized representation of data found here
\n18:01 <@dre^> and is really ‘for legacy purposes only’
\n18:02 < SpaceBass> cool … I’m used to \/L\/P\/edu …
\n18:02 < SpaceBass> gotcha
\n18:02 < SpaceBass> good to know
\n18:02 <@dre^> yes it is. cause sometimes that translation breaks down
\n18:02 <@dre^> and you need to go see what’s up
\n18:02 <@dre^> ok… so the next thing I would do is…
\n18:03 <@dre^> stand by, but I have some awesome debugging steps for you
\n18:03 < SpaceBass> very apperciative
\n18:04 <@dre^> ok here goes
\n18:04 <@dre^> a) open a terminal and execute the following:
\n18:04 <@dre^> sudo syslog -c syslog -d
\n18:04 <@dre^> sudo syslog -c 0 -d
\n18:04 <@dre^> killall NetAuthAgent
\n18:04 <@dre^> kdestroy -A
\n18:04 <@dre^> syslog -w
\n18:04 <@dre^> b) start a connection in Finder using ‘connect to’
\n18:05 <@dre^> once you attempt a connection using the proper fqdn, enter a name \/ pw if prompted
\n18:05 <@dre^> then wait 30 seconds for syslog in teh terminal to catch up, then cntrl-c it
\n18:05 <@dre^> you should find ample \/ useful debugging info in the terminal (syslog) output
\n18:05 < SpaceBass> interesting
\n18:05 < SpaceBass> lots of info
\n18:05 <@dre^> but I can help make sense of it if you need
\n18:05 < SpaceBass> getting asked for user\/pass for the share
\n18:06 < SpaceBass> checking the logs now
\n18:06 <@dre^> Look for KRBCreateSession, and right after that…
\n18:06 <@dre^> you should see the results of some realm_for_host calls…
\n18:07 < SpaceBass> now the kdestroy removed all tickets … expected ?
\n18:07 <@dre^> my guess is that such results are either wrong or missing
\n18:07 <@dre^> yes, expected
\n18:07 < SpaceBass> k
\n18:07 <@dre^> but this process should obtain new tickets
\n18:07 < SpaceBass> how would it get my password?
\n18:07 < SpaceBass> I dont have it saved in the keychain
\n18:08 < SpaceBass> right after the KRBCreateSession line I see:
\n18:08 < SpaceBass> (and I can’t cut\/paste b\/c I’m using two different machines)
\n18:09 < SpaceBass> parse_principal … decomposing afpserver\/osx5.nsnet.cc@NSNET.cc (seems correct)
\n18:09 <@dre^> ok
\n18:10 <@dre^> and you probably do have it in your keychain if you got in without authing
\n18:10 -!- SpaceBass2 [n=SP@96.228.61.195] has joined #afp548
\n18:10 <@dre^> ok, so that means that afp server is returning the expected principal name
\n18:10 < SpaceBass2> flood warning
\n18:10 < SpaceBass2> : [[[ KRBCreateSession () – required parameters okay
\n18:10 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: [[[ parse_principal_name () decomposing afpserver\/osx5.nsnet.com@NSNET.COM
\n18:10 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: ]]] parse_principal_name () – 0
\n18:10 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: KRBCreateSession: processed host name = osx5.nsnet.com
\n18:10 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: KRBCreateSession: last char of host name = 0x6d
\n18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: KRBCreateSession: getaddrinfo = success (0)
\n18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: KRBCreateSession: canonical host name = osx5.nsnet.com
\n18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: [[[ realm_for_host: hostname=osx5.nsnet.com hintrealm=NSNET.COM
\n18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: realm_for_host: krb5_get_host_realm returned unusable realm!
\n18:11 < SpaceBass2> Thu Jul 3 18:02:07 osx1 NetAuthAgent[2861] <Debug>: ]]] realm_for_host: failed to determine realm
\n18:11 <@dre^> ah ha
\n18:11 < SpaceBass> dre^, I did NOT get in without authing … I got the finder prompt for user\/pass
\n18:11 <@dre^> ok that’s good
\n18:11 <@dre^> and expected
\n18:12 <@dre^> it definitely looks as though the client kerberos config is malformed somehow
\n18:12 <@dre^> since it thinks NSNET.COM is unusable
\n18:12 <@dre^> go ahead and kinit and paste in the TGT you get
\n18:12 <@dre^> or jsut klist if you already have one
\n18:12 < SpaceBass> ok…here’s the thing…its a brand spanking new Macbook pro … first thing out of the box…configured DNS, did updates, jointed to domain using directory utility.app
\n18:13 <@dre^> is that the client or afp server?
\n18:13 < SpaceBass2> Kerberos 5 ticket cache: ‘API:Initial default ccache’
\n18:13 < SpaceBass2> Default principal: ndawson@NSNET.COM
\n18:13 < SpaceBass2> Valid Starting Expires Service Principal
\n18:13 < SpaceBass2> 07\/03\/08 18:09:58 07\/04\/08 04:09:58 krbtgt\/NSNET.COM@NSNET.COM
\n18:13 < SpaceBass2> renew until 07\/10\/08 18:09:58
\n18:13 < SpaceBass> client
\n18:13 <@dre^> hmm, ok
\n18:14 <@dre^> could you post or email me your \/L\/P\/edu.mit.Kerberos?
\n18:14 <@dre^> dre@mac.com
\n18:14 < SpaceBass> can post – its short
\n18:15 < SpaceBass> pastebin at least
\n18:15 <@dre^> sure
\n18:15 < SpaceBass2> https:\/\/pastebin.ca\/1061728<\/p>\n

# WARNING This file is automatically created, if you wish to make changes
\n# delete the next two lines
\n# autogenerated from : \/LDAPv3\/vail.nsnet.com
\n# generation_id : 97528862
\n[libdefaults]
\ndefault_realm = NSNET.COM
\n[realms]
\nNSNET.COM = {
\nadmin_server = vail.local
\nkdc = vail.local
\n}
\n[domain_realm]
\n.local = NSNET.COM
\nlocal = NSNET.COM
\n[logging]
\nadmin_server = FILE:\/var\/log\/krb5kdc\/kadmin.log
\nkdc = FILE:\/var\/log\/krb5kdc\/kdc.log<\/p>\n

18:16 < SpaceBass> thats a little different than I’m used to seeing – but its what apple generates
\n18:16 <@dre^> loading…
\n18:16 <@dre^> (slowly)
\n18:17 < SpaceBass> again, really appreciate the help
\n18:17 <@dre^> sure no prob :)
\n18:18 < SpaceBass2> I am surprised that apple’s automated processes seem to be broken
\n18:19 <@dre^> heh, well… I guess that’s good. one should ideally expect things to work properly without too much work :)
\n18:20 < SpaceBass2> exactly
\n18:21 <@dre^> ok it loaded finally
\n18:21 <@dre^> oh, lol
\n18:21 <@dre^> I see the problem :P
\n18:22 <@dre^> kdc = vail.local
\n18:22 <@dre^> vail.local should be a fqdn
\n18:22 < SpaceBass2> in the edu… ?
\n18:22 <@dre^> yes absolutely
\n18:22 < SpaceBass2> see, I thought the same thing, but what is that part about the aliasing?
\n18:23 <@dre^> theoretically in a perfect world this would be a valid configuration
\n18:23 < SpaceBass2> :D
\n18:23 <@dre^> the thing is that Kerberos makes assumptions based on host name \/ fqdn
\n18:23 < SpaceBass2> ok … if I change edu.mit.kerb …how do I get it to update the files in \/var…\/config
\n18:23 <@dre^> so you need to use the fqdn for the KDC that matches the host name portion of the kerberos principals
\n18:23 <@dre^> you should not change it
\n18:23 <@dre^> you should unbind and rebind using a fqdn and see what happens
\n18:23 < SpaceBass2> ok
\n18:24 < SpaceBass2> rebind using the fqdn of the server?
\n18:24 <@dre^> yes
\n18:24 < SpaceBass2> odd, b\/c thats what I did
\n18:24 <@dre^> unbind \/ rebind the client
\n18:24 <@dre^> ok, then don’t do that
\n18:24 < SpaceBass2> glad to re-try
\n18:24 -!- dakine [n=sam@bas3-toronto01-1177779856.dsl.bell.ca] has quit [“This computer has gone to sleep”]
\n18:24 <@dre^> let’s verify the server configuraiton
\n18:24 < SpaceBass2> k
\n18:24 <@dre^> on teh OD master: sudo slapconfig -checkhostname
\n18:24 <@dre^> er, sorry
\n18:25 <@dre^> sudo changeip -checkhostname
\n18:25 < SpaceBass2> yeah , I figured thats what you meant :D … vail.nsnet.com
\n18:25 <@dre^> in general, it’s good to resist the temptation to hand-hack any config files, because doing so may break assumptions that apple makes about the contents of the files, in the cases where the same config files are maintained automatically by apple tools
\n18:26 < SpaceBass2> dre^, I’ve learned that the hard way before :)
\n18:26 <@dre^> so it says “there’s nothing to change” at the end?
\n18:26 < SpaceBass2> yes
\n18:26 <@dre^> ok good
\n18:26 < SpaceBass2> names match, nothing to change
\n18:27 <@dre^> does the server’s \/L\/P\/edu.mit.Kerberos look the same?
\n18:27 <@dre^> it probably will…
\n18:27 < SpaceBass2> exactly the same
\n18:27 < SpaceBass2> (and that damn .local keeps throwing me off too)
\n18:27 <@dre^> yeah. it should be. that data is all downloaded by the client from the LDAP directory
\n18:28 <@dre^> (when you bind, a tool called kerberosautoconfig … well, does that)
\n18:28 < ideopathic> i’m following a long trying to learn a little about kerberos. where is the file located that you uploaded to pastbin?
\n18:28 < SpaceBass2> and, like I said…ssh and mount_afp work …
\n18:28 < SpaceBass2> ideopathic, \/Library\/Preferences
\n18:28 < SpaceBass2> ideopathic, this is a good one to follow :D learning a lot myself
\n18:28 <@dre^> there is still something wrong if it thinks your kdc is hosted by a .local thing
\n18:28 <@dre^> you’re supposed to get a fqdn there, e.g. vail.nsnet.com
\n18:29 <@dre^> ok, so let’s check your kdc configuration…
\n18:29 <@dre^> on the KDC (OD master): ps auxwww | grep krb
\n18:29 -!- dakine [n=sam@bas3-toronto01-1177779856.dsl.bell.ca] has joined #afp548
\n18:29 <@dre^> you shoudl see krb5kdc running and supporting at least one realm
\n18:29 < SpaceBass2> root 96 0.0 0.2 82512 2480 ?? S 25Jun08 0:15.03 \/usr\/sbin\/krb5kdc -n -r LKDC:SHA1.B3567769537F126486F54B94C5B03C7A439C0F80 -r NSNET.COM -a
\n18:29 <@dre^> very interesting
\n18:30 <@dre^> so the KDC thinks it’s hosting two realms, the LKDC realm and the NSNET.COM realm
\n18:30 < SpaceBass2> yeah…theres those damn lkdc entries again
\n18:30 <@dre^> that’s fine, don’t fear the lkdc ;)
\n18:30 < SpaceBass2> oh but I do :D
\n18:30 <@dre^> perhaps this will aleviate your concern: https:\/\/dreness.com\/wikimedia\/index.php?title=LKDC
\n18:30 <@dre^> a little write-up I did about the LKDC
\n18:31 <@dre^> but that is beside the point
\n18:31 <@dre^> the question is: what broke between the KDC configuration and the population of the KerberosClientConfig record in OD
\n18:31 <@dre^> open workgroup manager
\n18:32 <@dre^> actually let’s just use dscl
\n18:32 < SpaceBass2> cool – good reading!
\n18:32 <@dre^> dscl \/LDAPv3\/127.0.0.1 (on the OD master)
\n18:32 < SpaceBass2> k
\n18:32 <@dre^> read \/Config\/KerberosClient
\n18:32 < SpaceBass2> I’ll warn you, my dscl-fu is weak
\n18:33 <@dre^> this should be similar to what you see in \/L\/P\/edu.mit.kerberos (albeit formated differently)
\n18:33 <@dre^> true or false?
\n18:33 < SpaceBass2> checking -its xml …but close
\n18:33 <@dre^> mainly looking for vail.local
\n18:33 < SpaceBass2> yeah
\n18:34 < SpaceBass2> its there
\n18:34 <@dre^> ok
\n18:34 < SpaceBass2> as the KDC for nsnet.com
\n18:34 < SpaceBass2> nsnet.cc
\n18:34 <@dre^> this is the data that is downloaded by clients when they bind
\n18:34 <@dre^> wait
\n18:34 < SpaceBass2> ah!
\n18:34 <@dre^> nsnet.cc or nsnet.com!?!
\n18:34 < SpaceBass2> cc
\n18:34 < SpaceBass2> sorry
\n18:34 < SpaceBass2> er..com
\n18:34 < SpaceBass2> it is com
\n18:34 <@dre^> hehe
\n18:34 < SpaceBass2> and .com is correct
\n18:35 <@dre^> ok
\n18:35 < SpaceBass2> and if I’ve been saying .cc its an old habit
\n18:35 < SpaceBass2> but nsnet.com is a private domain …in that i do not own it on the interwebs
\n18:35 <@dre^> … that is not recommended ;)
\n18:35 <@dre^> you should use fake TLDs in that case
\n18:35 < SpaceBass2> yeah, stupid move that I made years ago and wish I could undo
\n18:36 <@dre^> e.g. nsnet.lan
\n18:36 < SpaceBass2> but I suspect trying to change the realm now would be pretty challenging
\n18:36 <@dre^> you can and should un-do it as a reasonably high priority
\n18:36 <@dre^> it could cause very hard to track down DNS ‘problems’
\n18:36 <@dre^> but we’ll talk about that later
\n18:36 < SpaceBass2> what I’d really like to do get a public domain and do a dual horizon dns … would make getting a comercial cert much easier
\n18:37 < SpaceBass2> but like you said, I can tackel that later
\n18:37 <@dre^> ok, so
\n18:37 <@dre^> now let’s look at \/Library\/Logs\/slapconfig.log
\n18:37 <@dre^> might wanna slap that on pastebin
\n18:37 <@dre^> (on the OD master)
\n18:37 <@dre^> slapconfig.log records information about OD role changes, such as promotion to master
\n18:38 < SpaceBass2> assume there is nothing sensitive in there
\n18:38 <@dre^> nothing that you haven’t already told us :)
\n18:38 <@dre^> might be an admin account name
\n18:38 * SpaceBass2 pats his PFsense box
\n18:38 <@dre^> but certainly no passwords…
\n18:39 < SpaceBass2> https:\/\/pastebin.ca\/1061749<\/p>\n

http:\/\/dreness.com\/bits\/tech\/applied_kerberos_troubleshooting\/paste1<\/a><\/p>\n

18:39 <@dre^> (although before tiger shipped, I did find admin passwords in that log… heh. fixed before ship though, thankfully…)
\n18:39 < SpaceBass2> ouch!
\n18:39 <@dre^> full disclosure: I work at apple
\n18:40 <@dre^> loading slow again…
\n18:40 < SpaceBass2> yeah? awesome
\n18:40 < SpaceBass2> full discolsure I’m a fan boy
\n18:40 <@dre^> hehe
\n18:40 * SpaceBass2 has 16 macs …personally … this is a home setup by the way
\n18:41 < SpaceBass2> and my wife is only tolerating me troubleshooting this right now b\/c I’ve promised that she’ll be able to mount the media share again
\n18:41 <@dre^> haha
\n18:41 <@dre^> ok it’s loaded, reading
\n18:42 < SpaceBass2> k
\n18:42 < SpaceBass2> reading myself as its new to me
\n18:42 <@dre^> I see you had one false start
\n18:43 < SpaceBass2> yeah – in fact, the long history is that I did a tiger-leo upgrade and it failed several times … so I blew it away and re-created the OD from sctatch …and did indeed have a false start
\n18:44 <@dre^> hmm, looks like you’re merging in an OD backup from tiger
\n18:45 < SpaceBass2> I did try and pull in a backup – again failed … you should see where I eventually re-created by hand
\n18:45 < SpaceBass2> if memory serves ….
\n18:45 <@dre^> heh ok, still reading
\n18:45 < SpaceBass2> I did try and pull in the backup and then create new passwords, but I wasn’t getting user principals
\n18:46 <@dre^> upgrades are risky business…
\n18:48 <@dre^> ok, so if you look at line 247
\n18:48 <@dre^> that’s where it starts creating the wrong service principals
\n18:48 <@dre^> though there is no obvious indication of why it’s doing it wrong… between line 202 and 247 appears normal
\n18:49 < SpaceBass2> leme look
\n18:49 < SpaceBass2> the warnings?
\n18:49 <@dre^> no, the principal name itself
\n18:49 <@dre^> er, the hostname portion of the service principals
\n18:49 <@dre^> vail.local
\n18:50 < SpaceBass2> i see
\n18:50 <@dre^> intersetingly enough, when you kerberize other hosts, they work
\n18:50 <@dre^> e.g. telluride
\n18:50 <@dre^> that explains why ssh to linux is working
\n18:50 < SpaceBass2> telluride is a linux box – added by hand
\n18:50 <@dre^> *nod*
\n18:50 <@dre^> note line 327
\n18:51 <@dre^> the service principals are being created with the correct server name
\n18:51 < SpaceBass2> humm I cannot seem to get into kadmin
\n18:51 <@dre^> try kadmin.local as root
\n18:51 < SpaceBass2> but what I have observed in the past is that it creates 3 enteries for each OSX host
\n18:51 <@dre^> yes, that is fixed in 10.5.3
\n18:51 <@dre^> but only for ‘new’ installs :\/
\n18:51 < SpaceBass2> is it?!?!
\n18:52 <@dre^> it’s not really a functional problem, more cosmetic
\n18:52 < SpaceBass2> I’m on 10.5.2 – been avoiding the upgrade b\/c I wasn’t sure it was safe yet
\n18:52 <@dre^> well now it’s 10.5.4, heh
\n18:52 < SpaceBass2> even for server?
\n18:52 <@dre^> yes
\n18:52 < SpaceBass2> on .4 for clients
\n18:52 < SpaceBass2> cool
\n18:52 <@dre^> in general, updates ship at the same time for client and server
\n18:52 < SpaceBass2> I’ll update tonight if all goes well
\n18:52 < smultron> i updated
\n18:53 < smultron> no problems
\n18:53 <@dre^> well… if you don’t have a lot of stuff in your OD master, you should probably demote \/ promote
\n18:53 < SpaceBass2> interesting – I only see vail.local in the keytab
\n18:53 <@dre^> yes, that is a problem :)
\n18:53 <@dre^> you might be able to slapconfig -kerberize your way to nirvana… lemme see
\n18:53 < SpaceBass2> oh yeah it is! can’t belive I missed that
\n18:53 <@dre^> I’ve never really done that, since I always stop at the first sign of weirdness and start over
\n18:53 < SpaceBass2> I mean, I can add em if need be
\n18:54 <@dre^> in general, watch slapconfig.log like a hawk whenever you do OD stuff
\n18:54 < SpaceBass2> but, since osx1.nsnet.com is trying to connect to osx5.nsnet.com … does vail.local matter?
\n18:54 < SpaceBass2> would that break the “chain” so to speak?
\n18:55 <@dre^> well, it matters in the sense that vail’s services are kerberized using the wrong hostname
\n18:55 < SpaceBass2> (and hostname on the kdc reports vail.nsnet.com )
\n18:55 <@dre^> right, it’s just the self-kerberization that failed for some reason
\n18:56 <@dre^> ok, couple more things to check…
\n18:57 <@dre^> sudo sso_util info -r \/LDAPv3\/127.0.0.1
\n18:57 <@dre^> should return NSNET.COM
\n18:58 < SpaceBass2> ’tis
\n18:58 < SpaceBass2> nsnet.com
\n19:00 <@dre^> ok, so there is an sso_util command that can attempt to kerberize services on the OD master
\n19:00 <@dre^> sso_util configure
\n19:00 < SpaceBass2> oh…?
\n19:00 <@dre^> but this will make changes
\n19:00 < SpaceBass2> at this point, its not like I cannot rebuild again … data is on the clients and its all backed up
\n19:00 <@dre^> so before doing that, let me ask: how much stuff is in the OD master? How long would it take you to demote and promote, and recreate all of the users \/ kerberized hosts?
\n19:00 <@dre^> ok
\n19:00 < SpaceBass2> and rebuilding the OD master isn’t too hard
\n19:01 <@dre^> well depends on how much stuff is in it :) the idea is we don’t want to restore from an archive
\n19:01 < SpaceBass2> I’d really prefer not to do that…at least not tonight … but its “do-able”
\n19:01 <@dre^> as that will restore potentially bad data
\n19:01 <@dre^> well doing the sso_util configure shouldn’t break anything other than kerberized services on the OD master
\n19:01 < SpaceBass2> guess what I’m saying is: I’m ok with risking it
\n19:01 <@dre^> which means that at works, you have to use standard auth and not kerberos
\n19:01 <@dre^> s\/works\/worst\/
\n19:02 < SpaceBass2> I can live with standard for a few days if I have to
\n19:03 <@dre^> ok so try: sudo sso_util configure -r NSNET.COM -a admin-name all
\n19:03 <@dre^> where admin-name is your *directory* administraotr
\n19:03 <@dre^> you will be prompted for a password
\n19:03 < SpaceBass2> says either us -p or named pipe
\n19:04 <@dre^> oh, interesting… must be a difference between versions
\n19:04 <@dre^> try passing -p with no password
\n19:04 < SpaceBass2> same error
\n19:04 <@dre^> blah, then do -p <password>
\n19:04 <@dre^> which is evil and stupid
\n19:04 <@dre^> 10.5.4 server allows you to get a secure prompt
\n19:04 < SpaceBass2> guess I can truncate history later :D
\n19:04 <@dre^> heh *nod*
\n19:05 <@dre^> hopefully you will see it creating new service principals…
\n19:05 < SpaceBass2> ok…same error …so I moved -p right after the -a diradmin
\n19:05 <@dre^> in the form service\/vail.nsnet.com\/NSNET.COM
\n19:05 <@dre^> hmm
\n19:05 < SpaceBass2> creating service princs
\n19:05 < SpaceBass2> add_principal: Principal or policy already exists while creating “ldap\/vail.local@NSNET.COM”.
\n19:05 <@dre^> bah!
\n19:06 <@dre^> and you are sure that the ‘hostname’ command does not return vail.local?
\n19:06 < SpaceBass2> 100%
\n19:06 <@dre^> oh, I guess this could be keying off the KerberosConfig record…
\n19:06 <@dre^> maybe we need to re-publish that
\n19:06 <@dre^> ok let’s see…
\n19:07 < SpaceBass2> and by the way – if I’m keeping you from something, please say so
\n19:07 < SpaceBass2> you’v been more than helpful, to say the least
\n19:07 <@dre^> well thanks :) I kinda wanna solve this, I’m sure i’ll be seeing similar problems from others…
\n19:07 <@dre^> (I help scrub incomming server bugs)
\n19:08 < SpaceBass2> I really appreciate the help!
\n19:08 < SpaceBass2> gotcha – so this is right up your alley then
\n19:08 < SpaceBass2> although I suspect you dont see many home users with Server
\n19:09 <@dre^> well, no…
\n19:10 <@dre^> ok, gotta find how the KerberosClient record can be re-created
\n19:10 <@dre^> cause that’s where the bad data is coming from
\n19:10 < SpaceBass2> I’d show you my server cabinet and rack …but its a tad shoddy compared to a real server room
\n19:10 <@dre^> could very well have been left over from the false start(s)
\n19:12 < SpaceBass2> humm
\n19:12 <@dre^> ok how about this
\n19:12 <@dre^> dscl \/Search list \/Computers
\n19:13 < SpaceBass2> livingroom.local$
\n19:13 < SpaceBass2> livingroom.nsnet.com$
\n19:13 < SpaceBass2> LKDC:SHA1.2F5BAB71984D985DC0BA0D103C85DC067EF0A22E$
\n19:13 < SpaceBass2> LKDC:SHA1.64604752011301522B118A9CFE83A95560B194E5$
\n19:13 < SpaceBass2> LKDC:SHA1.AB999D5B63EDDCDC11B360E1EACB9536849844CC$
\n19:13 < SpaceBass2> LKDC:SHA1.C1E7E428054307B586CD240141B42583DF46FB5A$
\n19:13 < SpaceBass2> LKDC:SHA1.C2DA7627FD7C4E44EFE720A00FAE2CE2F76BA9A8$
\n19:13 < SpaceBass2> LKDC:SHA1.DD1F37D568FCC14ACE2F3935554012B235C87A4C$
\n19:13 < SpaceBass2> LKDC:SHA1.DD362AEF0FD6C7CBA5664D5FD27818058317ED49$
\n19:13 < SpaceBass2> osx1
\n19:13 < SpaceBass2> osx1.local$
\n19:13 < SpaceBass2> osx1.nsnet.com$
\n19:13 < SpaceBass2> osx10.local$
\n19:13 < SpaceBass2> osx10.nsnet.com$
\n19:13 < SpaceBass2> osx5
\n19:13 < SpaceBass2> osx5.nsnet.com$
\n19:13 < SpaceBass2> osx7.local$
\n19:13 < SpaceBass2> osx7.nsnet.com$
\n19:13 < SpaceBass2> telluride.nsnet.com
\n19:13 < SpaceBass2> vail.nsnet.com$
\n19:13 < SpaceBass2> oops…SORRY
\n19:13 < SpaceBass2> ment to put that into pastebin
\n19:13 <@dre^> no worries, butok, vail.nsnet.com is there
\n19:15 < SpaceBass2> help me understand the $ … is that some kind of wild card
\n19:15 <@dre^> used for computer records
\n19:15 <@dre^> maybe only those with a qualified name
\n19:15 <@dre^> e.g. foo.tld instead of just foo
\n19:15 <@dre^> and I think only when they are auto-generated
\n19:16 <@dre^> which is why teh linux box record doesn’t have one
\n19:16 < SpaceBass2> gotcha
\n19:16 < SpaceBass2> gotcha
\n19:17 <@dre^> ok hmmm
\n19:17 < SpaceBass2> I’ve avoided joining the other machines until I get the issues sussed out
\n19:18 <@dre^> dscl \/Search read “\/Computers\/vail.nsnet.com$”
\n19:18 <@dre^> sorry
\n19:18 <@dre^> dscl \/Search read “\/Computers\/vail.nsnet.com$” cn
\n19:19 < SpaceBass2> dsAttrTypeNative:cn: vail.nsnet.com$ vail.nsnet.com
\n19:19 <@dre^> ok
\n19:20 <@dre^> kdcsetup is the one who writes the KerberosClient record into LDAP
\n19:22 <@dre^> but it doesn’t appear to be able to only re-write KerberosClient without doing everything else
\n19:22 <@dre^> so fire up WGM
\n19:22 <@dre^> go into prefs, turn on the inspector
\n19:22 < SpaceBass2> k
\n19:22 < dakine> hey guys, quick question
\n19:23 < dakine> what do you say you do for a living?
\n19:23 <@dre^> click the bullseye icon (the right-most above the left-hand list view)
\n19:23 <@dre^> I work at apple as a seed engineer
\n19:23 < SpaceBass2> <– healthcare process improvement :D
\n19:23 <@dre^> software seeding, that is
\n19:23 < SpaceBass2> looking for inspector
\n19:24 <@dre^> second checkbox
\n19:24 <@dre^> (in the wgm prefs)
\n19:24 < dakine> lol
\n19:24 < dakine> ok
\n19:24 < SpaceBass2> see it now
\n19:24 <@dre^> dakine: in case that isn’t clear, I help mediate communications between external customers with bugs and apple software engineers
\n19:24 < SpaceBass2> ok…in the bulls eye
\n19:24 < SpaceBass2> also new to me
\n19:25 < dakine> ah
\n19:25 <@dre^> from the pop-up menu, select Config
\n19:25 < dakine> so you are the middleman
\n19:25 <@dre^> well I hate that term, heh
\n19:25 < dakine> cause the software engineers arent people persons
\n19:25 <@dre^> middleman implies that I’m good for nothing ;)
\n19:25 < dakine> lol
\n19:25 < dakine> listen
\n19:25 < dakine> nothing gets done without the middle man
\n19:26 <@dre^> space: then select KerberosClient
\n19:26 < dakine> its just the problem givers and the problems solvers in communicado
\n19:26 <@dre^> then select XMLPlist and click Edit below
\n19:26 < dakine> anyways I am off
\n19:26 <@dre^> later dakine :)
\n19:26 < SpaceBass2> im there
\n19:26 < SpaceBass2> later dakine
\n19:26 <@dre^> fix the hostnames
\n19:26 <@dre^> vail.local becomes vail.nsnet.com
\n19:27 < SpaceBass2> k
\n19:27 <@dre^> and increment the generation ID by one
\n19:27 <@dre^> (at the bottom)
\n19:27 < SpaceBass2> fixed
\n19:27 <@dre^> the generation ID is how the client tells if its local version of the config is stale
\n19:28 < SpaceBass2> ah
\n19:28 < SpaceBass2> that long integer at the btm?
\n19:28 <@dre^> yes
\n19:28 < SpaceBass2> k
\n19:29 <@dre^> click OK to comit the changes
\n19:29 <@dre^> click Save if it’s lit up
\n19:29 < SpaceBass2> k
\n19:29 <@dre^> go back to the client and run sudo kerberosautoconfig
\n19:29 <@dre^> (we’ll do the server next if this works)
\n19:29 <@dre^> then examine edu.mit.Kerberos on the client
\n19:30 <@dre^> the kdc and kdc admin server should be reported as vail.nsnet.com
\n19:30 < SpaceBass2> yep
\n19:30 < SpaceBass2> it is
\n19:30 <@dre^> ok great
\n19:30 <@dre^> same thing on the OD master
\n19:30 < SpaceBass2> on the master huh?
\n19:30 < SpaceBass2> k
\n19:30 <@dre^> aye
\n19:31 < SpaceBass2> done
\n19:31 <@dre^> now we want to sso_util configure again, same as before… lemme double check the usage
\n19:31 <@dre^> sudo sso_util configure -r NSNET.COM -a whatever -p whatever all
\n19:32 <@dre^> now you shoudl get correct keytabs
\n19:32 <@dre^> if so, that *should* be it
\n19:32 < SpaceBass2> still got warnings about the .local :(
\n19:33 <@dre^> BAH
\n19:33 <@dre^> and you did check that it got an updated edu.mit.kerberos, right?
\n19:33 <@dre^> the od master
\n19:33 < SpaceBass2> yeah
\n19:34 < SpaceBass2> its correct
\n19:34 <@dre^> hmm
\n19:34 <@dre^> oh, uhm..
\n19:34 <@dre^> well no, not a stale DS cache if hte on-disk file is correct
\n19:35 < SpaceBass2> yeah, checking \/L\/P\/edu…
\n19:35 -!- Azhi_Dahaka [n=Azhi@unaffiliated\/azhidahaka\/x-172934] has quit []
\n19:36 <@dre^> oooo
\n19:36 <@dre^> I think I know :)
\n19:37 <@dre^> you might have an ‘upgraded’ sso_util
\n19:37 <@dre^> from tiger
\n19:37 <@dre^> md5 \/usr\/sbin\/sso_util
\n19:37 <@dre^> paste results pls
\n19:37 < SpaceBass2> its a fresh install from leopard
\n19:37 <@dre^> oh dammit
\n19:37 < SpaceBass2> its a one liner
\n19:37 < SpaceBass2> MD5 (\/usr\/sbin\/sso_util) = 32a7a95f3e49502ddb0863583c30410d
\n19:37 < SpaceBass2> 10.5.3 remember
\n19:38 <@dre^> ppc?
\n19:38 < SpaceBass2> yeah …
\n19:38 < SpaceBass2> g4
\n19:38 <@dre^> k, no problem. but that probably explains why its different from mine
\n19:38 <@dre^> actually..
\n19:38 <@dre^> file \/usr\/sbin\/sso_util
\n19:38 <@dre^> paste results
\n19:38 < SpaceBass2> if I buy an xserver my wife call it quits
\n19:39 <@dre^> heh, they are big and loud
\n19:39 < SpaceBass2> https:\/\/pastebin.ca\/1061784
\n19:40 < SpaceBass2> can’t be louder than my 2u linux box :D
\n19:40 < SpaceBass2> but might be hotter
\n19:41 <@dre^> just looking for both a ppc and i386 image, that’s all…
\n19:41 <@dre^> not really taht important.
\n19:41 <@dre^> hmm, there’s supposed to be an sso_util debug mode…
\n19:42 < SpaceBass2> is sso_util unique to OSX?
\n19:42 <@dre^> here we go
\n19:42 <@dre^> this is gonna be big-ass
\n19:43 <@dre^> same sso_util command, but add: -v 7 after configure and before -r
\n19:43 <@dre^> and pastebin results
\n19:43 < SpaceBass2> which cmd?
\n19:43 < SpaceBass2> the confgure ?
\n19:43 < SpaceBass2> configure ?
\n19:43 <@dre^> sso_util configure -v 7 …
\n19:44 < SpaceBass2> any second Im going to forget and pastebin the admin passwd
\n19:45 <@dre^> well at least your conscious of that possibility ;)
\n19:46 < SpaceBass2> https:\/\/pastebin.ca\/1061791<\/p>\n

http:\/\/dreness.com\/bits\/tech\/applied_kerberos_troubleshooting\/paste2 <\/a><\/p>\n

19:46 <@dre^> I suspect that the GerPrimaryHostName block will contain the error…
\n19:47 <@dre^> oh snap, do you have multiple IPs on the od master?
\n19:47 < SpaceBass2> leme check – I did under tiger server, but didn’t tink I did any more
\n19:48 <@dre^> man pastebin.ca needs an upgrade
\n19:48 <@dre^> still loading… there it goes
\n19:48 <@dre^> shit
\n19:48 < SpaceBass2> I had to do it under tiger b\/c I did a DNS move (migrated from Windows Server…what a mistake that was) … but thats a long story
\n19:49 < SpaceBass2> yeah…still have two IPs
\n19:50 < SpaceBass2> don’t need the 2nd anymore since I’m not doing VPN on the OSX server anymore
\n19:50 <@dre^> yep foudn the problem
\n19:50 <@dre^> line 433
\n19:51 < SpaceBass2> <CFArray 0x10ec80 [0xa07e7174]>{type = immutable, count = 2, values = (
\n19:51 < SpaceBass2> ?
\n19:51 <@dre^> heh, no not that specific line
\n19:51 <@dre^> but that begins a block…
\n19:51 <@dre^> 432: GetPrimaryHostName
\n19:51 <@dre^> then it steps through your network interfaces
\n19:52 <@dre^> in the two blocks that follow
\n19:52 <@dre^> for each interface, you see attributes like family, dnsName, name, serviceName, etc
\n19:52 <@dre^> note that the second one has isPrimaryIPv4Interface
\n19:52 < SpaceBass2> brb….going to change root on several computers
\n19:52 <@dre^> guess which one that is :)
\n19:52 <@dre^> good idea
\n19:53 <@dre^> you *should* be able to solve this by simply setting 10.1.1.5 as your primary address
\n19:53 <@dre^> which you can do by drag \/ drop in the network prefpane’s list of interfaces (under ‘change network service order’, from the gear menu)
\n19:54 <@dre^> woohoo, we found the problem!
\n19:54 < SpaceBass2> one sec…
\n19:55 <@dre^> do you mind if I post this chat log to my blog?
\n19:55 < SpaceBass2> and I created a huge one
\n19:55 <@dre^> yeah, heh. happens to everybody at one time or another…
\n19:55 < SpaceBass2> no, please do…I was going to ask you if I could keep it too
\n19:55 <@dre^> just be fast about changing and double-check access logs…
\n19:56 <@dre^> I’ve actually typed passwords directly into IRC before, when I thought a certain window had focus but between the time that it had focus and the time I typed the password, something caused a change in window focus…
\n19:56 <@dre^> like an errant mouse click, for instance…
\n19:56 < SpaceBass2> ok… ssh closed …. passwords changed
\n19:57 * SpaceBass2 wipes brow
\n19:57 <@dre^> so anyway, do you see what’s going on line 432?
\n19:57 <@dre^> “going on on line 432”
\n19:58 <@dre^> “GetPrimaryHostName”… this result will be used to form the server name portion of the kerberos service principal
\n19:58 < SpaceBass2> leme look
\n19:59 <@dre^> looking at the two blocks directly following (434 – 439 and 441 – 448), you can see attributes that look like they are related to network interfaces
\n19:59 <@dre^> like ipAddress, dnsName, family, etc
\n19:59 < SpaceBass2> ahhhh
\n19:59 < SpaceBass2> snap!
\n19:59 <@dre^> so the bonus question is:
\n19:59 <@dre^> how does the system determine what the primary hostname is?
\n19:59 < SpaceBass2> of course
\n19:59 <@dre^> look at the differences in the attributes for each interface
\n19:59 < SpaceBass2> there’s no DNS entry for the 2nd interface
\n20:00 <@dre^> well… they both have dnsName
\n20:00 <@dre^> but what attribute is present for one but not the other?
\n20:00 < SpaceBass2> looking
\n20:00 <@dre^> ok there’s two… userDefinedName, and one other… the other one is the key :)
\n20:01 < SpaceBass2> yep… .nsnet.com vs .local
\n20:01 < SpaceBass2> binbo
\n20:01 < SpaceBass2> bingo
\n20:01 <@dre^> no no
\n20:01 <@dre^> keep looking
\n20:01 <@dre^> how does it know which of those to choose?
\n20:01 < SpaceBass2> en0?
\n20:01 <@dre^> nope
\n20:01 <@dre^> which attribute is present for one but not the other?
\n20:01 < SpaceBass2> ok…leme keep looking
\n20:01 <@dre^> besides userDefinedName
\n20:01 < SpaceBass2> dont tell me
\n20:02 <@dre^> en0 is not an attribute, it’s a value
\n20:02 < SpaceBass2> d’oh
\n20:02 < SpaceBass2> isPrimaryIPv4Interface = true
\n20:02 <@dre^> the attribute that corresponds to en0 is ‘name’, as in the bsd name of the interface
\n20:02 <@dre^> yep, that’s the one
\n20:02 < SpaceBass2> I’m actually laughing out loud
\n20:02 <@dre^> so then, how do you set which is the primary interface? :)
\n20:02 < SpaceBass2> never in a million years
\n20:02 < SpaceBass2> well now, thats a good question
\n20:03 <@dre^> there is a very easy GUI answer, also :)
\n20:03 < SpaceBass2> b\/c the one it identifies as primary is actually a copy
\n20:03 <@dre^> and that’s perfectly legit
\n20:03 < SpaceBass2> I’m guessing you go into network prefs and drag it first
\n20:03 <@dre^> yep!
\n20:03 < SpaceBass2> ALRIGHT!
\n20:03 <@dre^> the top-most active interface is the primary
\n20:03 <@dre^> you should be able to simply make that change and re-run sso_util
\n20:04 < SpaceBass2> ok …what if I just delete it?
\n20:04 < SpaceBass2> since I dont need it?
\n20:04 <@dre^> well… that could be a problem
\n20:04 < SpaceBass2> ok
\n20:04 <@dre^> because when you promote to master, the primary hostname \/ address is encoded in several spots
\n20:04 <@dre^> but no fear: changeip to the rescue
\n20:05 <@dre^> so you want to changeip over to .15 \/ vail.nsnet.com
\n20:05 <@dre^> see the changeip manpage for examples
\n20:05 < SpaceBass2> ok,… the one listed as primary is actually 2nd in the gui
\n20:05 <@dre^> really?!?
\n20:05 < SpaceBass2> yeah
\n20:05 <@dre^> well, which gui
\n20:05 <@dre^> are you in ‘change network service order’, or the overview?
\n20:06 <@dre^> sorry, ‘set network service order’, under the gear menu
\n20:06 < SpaceBass2> https:\/\/www.flickr.com\/photos\/nickdawson\/2634507389\/<\/p>\n

\"2634507389_b6afcbb829.jpg\"<\/p>\n

20:06 <@dre^> which is just above the lock
\n20:06 <@dre^> ya, click the gear icon
\n20:06 <@dre^> ‘set network service order’
\n20:06 < SpaceBass2> modem, if1 (.15) firewire if2 (.17)
\n20:07 < SpaceBass2> .17 is the one set as .local and primary and is not needed
\n20:07 <@dre^> .17 should appear above .15 in the ‘set network service order’ list
\n20:07 <@dre^> since it is in fact the primary, and that list order is supposed to be what defines the primary
\n20:08 <@dre^> on the ohter hand
\n20:08 <@dre^> most of hte system appears to believe that vail.nsnet.com is the primary hostname
\n20:08 <@dre^> which suggest that somehow, somewhere, the network config got confused
\n20:08 <@dre^> what I would try is simply dragging .17 to the top, and then dragging .15 to the top
\n20:09 <@dre^> which should re-set the isPrimaryIPv4Interface to be correct
\n20:09 < SpaceBass2> back…had to get power
\n20:09 < SpaceBass2> https:\/\/www.flickr.com\/photos\/nickdawson\/2635335214\/<\/p>\n

\"2635335214_1c1a36fc13.jpg\"<\/p>\n

20:10 <@dre^> yeah just try dragging ‘ethernet’ to the top
\n20:10 <@dre^> er sorry
\n20:10 <@dre^> oh wow
\n20:10 <@dre^> no this is very broken
\n20:10 <@dre^> lol
\n20:10 < SpaceBass2> lol!
\n20:10 <@dre^> both of those interfaces claim to be ‘en0’
\n20:11 <@dre^> which is theoretically impossible
\n20:11 < SpaceBass2> well, in linux-speak … en1 and en1:1
\n20:11 <@dre^> right, but when you create virtual interfaces in os x, they each get unique bsd names
\n20:11 < SpaceBass2> in other words 10.1.1.17 is a vitrual IP
\n20:11 < SpaceBass2> right
\n20:11 < SpaceBass2> and bsd interface names baffle me :D
\n20:12 <@dre^> hmm… actually maybe I’m wrong about that. ifconfig would show them in teh same physical interface
\n20:12 <@dre^> os maybe this isn’t horribly broken as I thought
\n20:12 <@dre^> but they are definitely ordered wrong, or at least the OS thinks they are
\n20:12 <@dre^> (you can use ifconfig to read, but should not use it to change settings)
\n20:12 < SpaceBass2> how detrimental would it be to delete the virtual IP?
\n20:12 <@dre^> (the os x equivalent is ipconfig)
\n20:13 <@dre^> probably not very, since your system already thinks it is vail.nsnet.com
\n20:13 < SpaceBass2> yeah, I know ifconfig :D …
\n20:13 <@dre^> except for this one little piece of configuration which is wrong
\n20:13 <@dre^> but just to be safe, disable it instead of deleting
\n20:13 < SpaceBass2> ok
\n20:13 <@dre^> gear –> make service inactive
\n20:13 <@dre^> that way you can always turn it on if something assplodes
\n20:14 < SpaceBass2> is that the same as ifconfig <interface> down ?
\n20:14 <@dre^> yes, but don’t do that in os x
\n20:14 <@dre^> you should only use ifconfig to read settings, not write them
\n20:14 < SpaceBass2> yeah?
\n20:14 < SpaceBass2> you mentioned that
\n20:14 <@dre^> (because ifconfig bypasses the system frameworks that are used by the rest of the OS)
\n20:15 < SpaceBass2> I always have to remind myself that bash in osx is truly just a shell
\n20:15 <@dre^> so you could make a change, but hte OS doens’t know the change was made (only the very low networking layers), and so e.g. network prefs would be totally ignorant of the change
\n20:15 < SpaceBass2> which is arguably the way it should be
\n20:15 <@dre^> if you want to make network changes from the cli, use ipconfig or networksetup
\n20:16 <@dre^> so disable the interface and re-run sso_util
\n20:16 <@dre^> brb, potty
\n20:16 < SpaceBass2> jawdrop – ipconfig is a binary in 10.5 … wow
\n20:18 < SpaceBass2> ok … re-ran and same result …still .local
\n20:18 < SpaceBass2> but I feel that we are very close :D
\n20:18 <@dre^> hmm
\n20:18 <@dre^> let me see that relevant hunk of sso_util configure -v 7 output
\n20:19 < SpaceBass2> Entry for principal ftp\/vail.local@NSNET.COM with kvno 7, encryption type ArcFour with HMAC\/md5 added to keytab WRFILE:\/etc\/krb5.keytab.
\n20:19 <@dre^> the part where it detects network name
\n20:19 < SpaceBass2> leme get it
\n20:19 <@dre^> GetPrimaryHostName
\n20:20 < SpaceBass2> https:\/\/pastebin.ca\/1061809<\/p>\n

http:\/\/dreness.com\/bits\/tech\/applied_kerberos_troubleshooting\/paste3<\/a><\/p>\n

20:21 <@dre^> (loading)
\n20:24 <@dre^> well tha’ts bizarre…
\n20:24 <@dre^> it still think vail.local is primary
\n20:26 <@dre^> maybe you will need to delete .17
\n20:26 <@dre^> it could also be that the settings are horked enough that you cannot change them
\n20:26 < SpaceBass2> yeah, not ruling that out
\n20:26 <@dre^> (you did remember to click Apply right?)
\n20:26 <@dre^> in network prefs…
\n20:27 < SpaceBass2> heck, let me delete it and see
\n20:27 < SpaceBass2> yeah, closed prefs and re-opned even
\n20:28 < SpaceBass2> BOOM!
\n20:28 < SpaceBass2> removed it and bingop
\n20:28 < SpaceBass2> bingo
\n20:28 < SpaceBass2> xmpp\/vail.nsnet.com@NSNET.COM
\n20:28 <@dre^> woot!
\n20:28 < SpaceBass2> high-five!
\n20:28 <@dre^> ^5 :)<\/p>\n

Epilogue: After re-reading this, I realized that his afp server is actually a separate host from his OD master (vail), but the same troubleshooting steps apply… so in the end, I might not have actually fixed the AFP mounting problem, but we did fix at least *some* problems :)<\/p>\n

Finally: if anyone knows how to make WordPress not DELETE AN ENTIRE POST when you paste in a chunk of text that is too big; or, how to adjust this threshold, please tell me. This post took entirely too long to compose, as I had to move text around in increasingly smaller chunks to work around this problem.<\/p>\n","protected":false},"excerpt":{"rendered":"

The following is an IRC transcript taken from #afp548, irc.freenode.net. It chronicles the troubleshooting process of a fairly well-hidden edge case of Kerberos configuration in Mac OS X Server. pastebin.ca was used to relay larger hunks of textual information; I’ve … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,3,10],"tags":[],"class_list":["post-43","post","type-post","status-publish","format-standard","hentry","category-os-x","category-os-x-server","category-tutorials"],"_links":{"self":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts\/43","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/comments?post=43"}],"version-history":[{"count":11,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts\/43\/revisions"}],"predecessor-version":[{"id":1270,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/posts\/43\/revisions\/1270"}],"wp:attachment":[{"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/media?parent=43"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/categories?post=43"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dreness.com\/blog\/wp-json\/wp\/v2\/tags?post=43"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}