Have you ever tried to get a list of group members in a text file.
Well you can do it this way:
dscl /LDAPv3/ldap.company.com -read /Groups/ThisGroup Member > ThisGroupsMembers.txt
Monday, October 29, 2007
Wednesday, October 17, 2007
Join Kerberos
I was having some troubles getting a server to join kerberos.
After some time I found out that the problem was related to a correct dns entry.
So there are two ways to fix this:
a) correct dns
b) if that is not possible due to some reason as in my case you may try this:
Use a text editor to open the /etc/hosts file, then add the following entry to the end of the file:
IP address FQDN
... where IP address is the IP address of the KDC, and FQDN is the fully qualified domain name that you specified on your DNS server.
For example: 123.456.78.910 www.example.com
In Terminal (/Applications/Utilities), execute the following command:
sudo scutil --set HostName
... where FQDN is the fully qualified domain name of this server that was configured on your DNS server.
After that I had no problems to join kerberos using:
sso_util remove -k -a diradminuser -p diradminpassword
rm /etc/krb5.keytab
# rm /Library/Preferences/edu.mit.Kerberos
# rm -R /Library/Preferences/DirectoryService/
rm -R /var/db/krb5kdc/*
/usr/sbin/sso_util configure -r LDAP.HOPRO.EDU -a diradminuser -p diradminpassword -f /LDAPv3/ipaddrofladserver -v 1 all
Hint found here:
Mac OS X Server 10.4: Kerberos authentication services may not successfully start
After some time I found out that the problem was related to a correct dns entry.
So there are two ways to fix this:
a) correct dns
b) if that is not possible due to some reason as in my case you may try this:
Use a text editor to open the /etc/hosts file, then add the following entry to the end of the file:
IP address FQDN
... where IP address is the IP address of the KDC, and FQDN is the fully qualified domain name that you specified on your DNS server.
For example: 123.456.78.910 www.example.com
In Terminal (/Applications/Utilities), execute the following command:
sudo scutil --set HostName
... where FQDN is the fully qualified domain name of this server that was configured on your DNS server.
After that I had no problems to join kerberos using:
sso_util remove -k -a diradminuser -p diradminpassword
rm /etc/krb5.keytab
# rm /Library/Preferences/edu.mit.Kerberos
# rm -R /Library/Preferences/DirectoryService/
rm -R /var/db/krb5kdc/*
/usr/sbin/sso_util configure -r LDAP.HOPRO.EDU -a diradminuser -p diradminpassword -f /LDAPv3/ipaddrofladserver -v 1 all
Hint found here:
Mac OS X Server 10.4: Kerberos authentication services may not successfully start
Wednesday, October 10, 2007
Passwords not working?
Are you running a Mac OS X server and having troubles with your passwords?
The symptoms you see are:
- A user can't log in to some systems
- The /Library/Logs/PasswordService/ApplePasswordServer.Server.log on the relevant password server contains this message:
Dec 5 2005 14:28:26 AUTH2: {0x4322345c67952fc40000016800000685, user1} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
Then have a look at this document:
Mac OS X Server: Authentication issues with DIGEST-MD5, "SASL error -13"
The symptoms you see are:
- A user can't log in to some systems
- The /Library/Logs/PasswordService/ApplePasswordServer.Server.log on the relevant password server contains this message:
Dec 5 2005 14:28:26 AUTH2: {0x4322345c67952fc40000016800000685, user1} DIGEST-MD5 authentication failed, SASL error -13 (password incorrect).
Then have a look at this document:
Mac OS X Server: Authentication issues with DIGEST-MD5, "SASL error -13"
Subscribe to:
Posts (Atom)